Takeaways

After invalidation of the Privacy Shield by Europe’s top court, many businesses came to rely upon Standard Contractual Clauses (SCCs) for their data transfers. This decision will invalidate all current SCCs and replace them with new SCCs.
The new SCCs adopt a "modular" approach and set out the rights and obligations of processors under article 28(3) and (4) GDPR. This will result in the need for a significant repapering exercise for businesses.
Businesses have just three months left to use the current SCCs if desired, and in eighteen months the new SCCs will be the only version that may be relied upon.

Today, 4 June 2021, the European Commission published its final decision on standard contractual clauses for the transfer of personal data to “third countries” pursuant to the GDPR. The decision includes the final version of the new standard contractual clauses (SCCs) for this purpose. The new SCCs are long-awaited, following the introduction of the GDPR three years ago and a ruling in 2020 from Europe’s top court (Schrems II) invalidating the EU-U.S. Privacy Shield data transfer scheme as well as raising concerns with current SCCs.  

The decision shall enter into force on the twentieth day following that of its publication. The current SCCs are repealed three months after that, with a further 15-month grace period included in the decision during which the current SCCs may still be relied on.

The New SCCs

The new SCCs adopt a modular approach. There is only one Annex with one “set” of clauses, further split into “modules” depending on the relationship between the parties (including the previously covered arrangements of transfers from “controller “to controller”, and “controller to processor”, along with new “processor to processor”, and “processor to controller” provisions). It is for organisations to then select the appropriate modules to be incorporated into the data transfer agreement. This differs significantly from the current approach, in which the relevant SCCs were contained in different decisions, depending on the relationship between the parties.

Another key addition in the new SCCs, is the introduction of the optional Section 1 Clause 7 which allows a new entity, that was not originally a party to the clauses, to accede to the agreement (either as a data exporter or as a data importer).

Some other key changes in the new SCCs are as follows:

  • Schrems II-inspired provisions have been included with specific obligations placed on the parties in relation to any potential interference of local laws with compliance with the SCCs and further, specific, provisions relating to government access requests.
  • The new SCCs include guidance on the specific technical and organisational measures required to ensure the security of data in Annex II.
  • Data importers acting as data controllers must now report data breaches directly to the relevant supervisory authority. This may cause tension, for example when two sharing controllers disagree on whether a breach is reportable.
  • Sub-processors also have direct obligations under Module 3 of Section II of the new SCCs, including obligations to inform the controller of any data breaches "where appropriate and feasible". The exact meaning of "appropriate and feasible" remains to be developed but it is worth noting that "and feasible" was not present in the original draft open for consultation.
  • Article 1(2) of the new decision states that the SCCs set out the rights and obligations of controllers and processors with respect to article 28(3) and (4) GDPR. This differs from the current approach, in which such clauses are found in the overarching data transfer agreement (DTA) (or data processing agreement (DPA).

Owing to the modular approach of the new SCCs, and the incorporation of a number of provisions previously reserved for the overarching agreement, the repapering exercise needed by businesses will require some detailed considerations and will need to go beyond simply swapping out current SCCs for the new ones as an appendix to any DPA or DTA.

Businesses should act now. A project plan should be initiated for updates to agreements, and businesses should not be lulled into a false sense of security by the short implementation period available. Equally, care should be taken to consider the new clauses carefully and not rush changes but rather tailor them to the business properly, as there is more scope to get this wrong with the new SCCs.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.