Scott McGeachy: European Commission publishes final version of New Standard Contractual Clauses
The European Commission has published the final version of the new Standard Contractual Clauses (New SCCs). This is an important development for multinational companies, and for any business that engages in international data transfers, writes Scott McGeachy.
The New SCCs will be required for transfers of European personal data to any “non-adequate” countries outside the EU / EEA, e.g. the USA or India. At this stage, the New SCCs would not cover transfers of UK personal data to “non-adequate” countries outside the UK. For the time being, the existing version of the standard contractual clauses (Old SCCs) should still be used for any transfers of UK personal data to “non-adequate” countries.
For any company that is currently using the Old SCCs for transfers of European personal data, it is important to put in place the New SCCs for your contracts as soon as possible. There is only a short window of three months to update your template contracts with new customers and suppliers. There is also a transition period of 18 months to implement the New SCCs for any existing contracts.
Background
The European Commission published the draft version of the New SCCs back in November 2020 in order to comply with new requirements under the GDPR. This draft version introduced new Modules which allow for different options to be selected for: (i) “controller to controller” transfers; (ii) “controller to processor” transfers; (iii) “processor to processor” transfers; and (iv) “processor to controller” transfers. This is a welcome innovation which recognises the wide range of different types of international data transfers.
In addition, the draft version of the New SCCs introduced a number of onerous new obligations for international data transfers to “non-adequate” countries – this was obviously influenced by the decision of the CJEU in the recent Schrems II case. In particular, the draft version of the New SCCs introduced a new requirement to assess the risk of disclosure of personal data to public authorities. The draft version also introduced an obligation for data importers to challenge the lawfulness of disclosure requests received from public authorities.
Changes in the final version of the New SCCs
A number of important changes have been made to the final version of the New SCCs. This includes changes to key issues such audit requirements, liability clauses, and indemnification provisions. It is important for companies to consider the impact of these changes on any Data Processing Agreements or Data Sharing Agreements, as the New SCCs will take priority in the event of any conflict with clauses under any related contracts.
Importantly, the European Commission has clarified some of the requirements for the risk assessment in relation to potential requests by public authorities for disclosure of personal data. The final version of the New SCCs states that it is necessary to assess the “law and practice” of a country’s public authorities in relation to such disclosure requests. As part of this, the European Commission has issued guidance which confirms that it is possible for parties to take into account any practical experience with prior cases of disclosure requests made by public authorities, or the absence of such requests.
This is a welcome clarification from the European Commission. The European Data Protection Board (EDPB) had previously been seeking to exclude such practical experience from the scope of any risk assessment. The EDPB had pushed to require parties to focus mainly on whether a public authority in a “non-adequate” country has the legal right to require disclosure of personal data. This type of restrictive approach would have placed an onerous burden on parties in relation to international data transfers, especially in cases where there is only a low risk of a public authority ever requesting disclosure of personal data in practice.
Enforcement in relation to international data transfers
It is increasingly important for companies to comply with the new requirements for international data transfers. Since the Schrems II decision, we have started to see an increased level of enforcement action on this issue in a number of EU countries.
For example, in March 2021, the Bavarian Data Protection Authority ruled that a fashion magazine made an unlawful international data transfer to the popular US email marketing service, Mailchimp. In that case, it was found that the parties had failed to consider putting in place supplementary measures to protect data from access by US public authorities.
Similarly, in April 2021, the Portuguese Data Protection Authority ruled that Portugal’s National Institute of Statistics had to cease its international transfers of personal data to an IT company based in the USA. This was because the parties had failed to put in place supplementary measures to ensure a sufficient level of protection for the data.
Other developments
In the UK, the Information Commissioner’s Office (ICO) has announced that it will publish its own bespoke UK SCCs for international data transfers of UK personal data. The ICO is due to publish a draft version for consultation in the summer. However, the ICO has indicated that it may also recognise the validity of the EU’s New SCCs for transfers of UK personal data – this would be welcome news for many businesses, as it would avoid having to put in place different sets of clauses for data transfers from the UK and the EU / EEA.
The EDPB is also due to publish its finalised guidance on supplementary measures to be put in place for international data transfers. This will address the circumstances where it is necessary to supplement the New SCCs with additional measures (e.g. encryption) in order to protect data transferred to “non-adequate” countries. It is hoped that this guidance will be published following the EDPB’s next plenary meeting on 15th June 2021.
Next steps
As mentioned, companies now only have a short window of three months to update their existing template contacts by adding the New SCCs. In addition, for any existing contracts that currently rely on the Old SCCs, there is a legal requirement to add the New SCCs to these contracts within the 18-month transition period. Failure to do so could lead to regulatory enforcement action by Data Protection Authorities in EU countries.
In light of the New SCCs, it will also be necessary for companies to review the contract terms of their template Data Processing Agreements, and to consider updating the terms of Data Processing Agreement with existing customers and suppliers.
Scott McGeachy is an associate at Burness Paull