The European Fee has issued new Normal Contractual Clauses designed to facilitate worldwide transfers of private information in compliance with the GDPR. The brand new provisions higher replicate the number of world information flows, however do little to alleviate the regulatory burden arising from final 12 months’s Schrems II choice and create potential challenges for firms outdoors the EEA with actions in scope of the GDPR. There’s an 18-month interval for organizations to transition to the brand new clauses.
On June 4, 2021, the European Fee (EC) adopted new Standard Contractual Clauses (SCCs) for the switch of private information from the European Financial Space (EEA) to 3rd international locations whose privateness regimes aren’t deemed “ample” by the EC.
The brand new SCCs had been adopted following session and suggestions on draft variations (see our earlier OnPoint) and within the wake of final 12 months’s choice by the Courtroom of Justice of the European Union (CJEU) in Schrems II invalidating the EU – U.S. Privateness Protect for private information transfers from the EEA to the U.S. The CJEU choice additionally known as into query the observe of simply counting on the then-current SCCs for transfers of private information from the EEA to the U.S. and different non-“white-listed” international locations.
Modular Format and Broader Purposes
The brand new SCCs stay non-negotiable, apart from the addition of business phrases that don’t battle with the SCC provisions, and consist of 4 “modules” to implement relying on the info switch use case and the exporter’s and importer’s GDPR standing. These modalities are:
- Controller to Controller
- Controller to Processor
- Processor to Sub-Processor
- Processor to Controller
The previous SCCs solely allowed for transfers in Controller to Controller and Controller to Processor eventualities. The addition of Processor to Sub-Processor and Processor to Controller phrases considerably expands the supply of SCCs. This can be a welcome improvement for a lot of processors and their clients and far wanted in a worldwide information ecosystem which is changing into more and more complicated.
As well as, the brand new SCCs particularly cater to non-EEA information exporters topic to the GDPR – a use case that has been sorely missing. The GDPR not solely restricts transfers of knowledge out of the EEA but additionally ‘onward’ transfers and transfers by non-EEA companies whose actions are inside scope of the GDPR. The previous SCCs didn’t cater to restricted transfers of knowledge already outdoors the EEA.
Limitations to the Scope
Whereas the modular format permits the SCCs to be utilized in a better number of switch eventualities, the EC has solely permitted the brand new SCCs for transfers of private information the place the importer’s use of the info is not going to be topic to the GDPR. (See, for instance, Recital 7 and Article 1 of the Implementing Decision).
This raises a query of what safeguards should be put in place the place the info importer might be processing information topic to the GDPR (for instance, the place the info importer’s actions are carefully linked to the actions of an EEA institution, or relate to providing items or companies to people within the EEA), on condition that such a switch would nonetheless seem like topic to the GDPR’s worldwide information switch restrictions. Despite the fact that the SCCs aren’t designed for these sorts of transfers, some could determine to take the place that implementing the SCCs could also be cheap to guard the info albeit with out the understanding that comes with EC approval). Others could take the view that extra restricted safeguards are enough the place the processing outdoors the EEA might be topic to the GDPR (it is a view supported by the UK regulator’s steerage).
Because the SCCs don’t present a pre-approved resolution for transfers to information importers topic to the GDPR, the steps required to legitimize these transfers are more likely to be extra fact-dependent and unsure, at the least till the EDPB points steerage on the subject.
2-4-1 on Processor Phrases
Other than the restrictions on information transfers, Article 28 of the GDPR requires particular provisions to be put in place between information controllers and information processors. The EC has said that the brand new SCCs additionally fulfill Article 28 necessities. Nonetheless, the provisions within the SCCs don’t appear as in depth because the EDPB has steered the phrases have to be. Firms could due to this fact discover that totally different supervisory authorities have totally different requirements for Article 28 compliance (one indicator could be if a supervisory authority has adopted Article 28 commonplace clauses to be used for any cross-border information transfers). The brand new SCCs supply the good thing about streamlining the contracting course of by eliminating the necessity for a separate information processing settlement however processors could discover that they’re much less capable of embody processor-favorable phrases.
Schrems II Safeguards
One of many extra important updates is that the brand new SCCs embody provisions geared toward addressing the issues of the CJEU in Schrems II. The brand new SCCs seem to replicate a concerted effort by the EC to make sure the clauses face up to the sort of problem that was deadly to the Privateness Protect and has jeopardized their use for information transfers from the EEA to the U.S. Therefore – the inclusion of obligations to evaluate the chance of overseas regulation enforcement or intelligence company entry to private information that’s disproportionate and presents no recourse to information topics. The brand new SCCs embody clauses mandating a multi-step evaluation and implementation of technical, organizational and administrative safeguards. Word although that the brand new SCCs don’t absolve companies of the necessity to undertake their Schrems II assessments (see our OnPoint for additional steerage).
The UK Place
The UK ICO has indicated that the brand new SCCs aren’t legitimate for transfers topic to the UK GDPR. As an alternative, the previous SCCs stay the suitable type for transfers by exporters topic to the UK GDPR. The UK ICO is ready to seek the advice of this summer season on new ‘UK’ SCCs. Will probably be fascinating to see whether or not the brand new UK SCCs are influenced by and cling to the EC’s method, or whether or not the brand new UK SCCs will mark a divergence between the UK GDPR and EU GDPR.
Whereas firms topic to the UK GDPR can proceed to make use of the present SCCs within the meantime, it appears probably that contracts involving transfers topic to the EU and UK GDPR (to not point out different jurisdictions with exporting restrictions resembling Switzerland and Israel), will develop into even lengthier and extra complicated in future, as a way to account for various units of SCCs. The EC has acknowledged this and mentioned that it’s going to attempt for better worldwide cooperation.
The brand new SCCs enter into pressure on June 27, 2021. The present SCCs will stop to be legitimate from September 27, 2021 however firms can proceed to make use of them, even for brand new contracts, till that date. After this, firms can have a further 15 months (till December 27, 2022) to transition to the brand new variations.
Given the transitional interval there is no such thing as a want for all firms to hurry to amend all of their contracts containing the previous SCCs (notably ones with touchpoints with each the EU and UK GDPR given the brand new UK SCCs due from the UK ICO). That mentioned, firms will need to enable ample time to arrange for potential enterprise impacts caused by the brand new SCCs. Companies can begin by auditing present contractual preparations and figuring out any modifications that might be crucial. As well as, exporters in processor roles or non-EEA exporters who’ve been utilizing the previous SCCs (however that they technically didn’t apply in such eventualities) could want to be extra proactive in setting up new documentation now that the SCCs are more likely to be extra fit-for-purpose. Alongside their contractual audits, firms also needs to undertake their broader Schrems II assessments, together with switch danger assessments, to the extent not already carried out.
We’ll proceed to maintain you apprised of key developments.