Orrick's Cyber, Privacy & Data Innovation and IP Licensing & Technology Transactions groups cover the top 10 things you need to know about the new Standard Contractual Clauses ("SCCs") published today by the European Commission ("Commission"). You can also listen to a discussion about the developments here.
The Commission published two sets of standard contractual clauses today, June 4, 2021. The "First Set" replaces the current set of standard contractual clauses for transfers of personal data outside the European Economic Area ("EEA") which were approved by the Commission under the old Directive 95/46/EC ("Old SCCs"). The "Second Set" may be used for service-provider data processing, regardless of whether a transfer outside the EEA is taking place. We refer to these two sets as the "New SCCs".
The General Data Protection Regulation ("GDPR") restricts transfers of personal data outside the EEA unless an exemption applies. The Standard Contractual Clauses have, over the years, been a popular mechanism to transfer personal data outside of the EEA, especially in recent months in the wake of the Schrems II decision that invalidated another transfer mechanism, the EU-US Privacy Shield.
Though grandfathered in by the GDPR, the Old SCCs were in need of some updating (not least of which is to remove references to a law that was superseded over three (3) years ago).
The First Set, published today, replaces the Old SCCs (though there is a grace period for replacing the Old SCCs – see Question 7, below).
Yes. The Old SCCs/New SCCs are known by various names – "model clauses," "model contracts," or "standard contractual clauses."
The First Set deals with international transfers of personal data. The Second Set is a standard data processing agreement, which covers the appointment of processors under Art. 28 of the GDPR. This is a standard agreement which primarily will be used for processor engagements within the EEA. The Commission can adopt such standard data processing agreements under Art. 28(7) of the GDPR.
The First Set can be used for transfers of personal data from the EEA to recipients in countries that are not deemed to provide adequate protection for personal data by the Commission. Unlike the Old SCCs, which covered controller to controller transfers in one set of clauses, and controller to processor transfers in another set, the First Set is designed to be more versatile. It follows a modular approach that allows for transfers from: (i) controller to controller; (ii) controller to processor; (iii) processor to processor; and (iv) processor to controller.
The Second Set is intended for use between controllers and processors and sets out provisions that would meet the requirements under Art. 28 of the GDPR (regardless of whether an international transfer is taking place).
The Court of Justice of the European Union ("CJEU") declared last year that the Old SCCs remained a valid legal mechanism for transferring personal data from EEA-based organizations to recipients outside the EEA. The CJEU (and later the European Data Protection Board ("EDPB"), through draft recommendations) also, however, stated that an assessment should be carried out on a case-by-case basis as to whether, in the context of the particular transfer under consideration: (i) the Old SCCs are sufficient to safeguard personal data; and (ii) appropriate additional safeguards should be implemented.
The First Set contain provisions which seek to address any effects that the destination country's laws might have on the data importer's compliance with its obligations under the First Set. This includes provisions governing how to deal with binding requests from public authorities in the destination country, as well as warranties as to the accuracy of the parties' assessment of the laws of the destination country and the protection such laws afford to personal data.
While the First Set includes contractual safeguards for the international transfer of personal data, it does not remove the concerns flagged by the CJEU altogether. Organizations transferring personal data outside the EEA will still need to undertake the relevant risk assessment and, where appropriate, implement technical and organizational safeguards to supplement the contractual provisions contained in the First Set. In addition, it may also be necessary to agree on additional supplemental contractual obligations. All the measures are prescribed in detail in the EDPB's recommendations.
Importantly, the EDPB is due to adopt its (current draft) recommendations in the coming days. These recommendations will hopefully shed some light on how the New SCCs, and the EDPB's recommendations, are intended to coexist going forward.
The New SCCs come into effect on "the twentieth day following that of its publication in the Official Journal of the European Union" (publication of the new SCCs in the Official Journal is expected "in the coming days"). When the New SCCs come into effect, companies can start using the New SCCs for their international transfers. This would appear to be towards the end of June 2021.
The Old SCCs will be repealed three (3) months after the New SCCs are published in the Official Journal. Importantly – the Commission grants companies a grace period of fifteen (15) months to continue using Old SCCs in agreements that are concluded before the Old SCCs are repealed. However, this is only on the condition that the processing operations under the contract remain unchanged and that "reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards" (meaning that the risk assessment required by Schrems II – as expanded under the EDPB's recommendations – will still need to be carried out).
Taken together, this would appear to mean that all Old SCCs will need to be replaced with the First Set, at the latest, by approximately December 2022 – i.e. roughly eighteen (18) months (assuming that the parties want to continue to rely upon Standard Contractual Clauses as the mechanism to facilitate transfers outside of the EEA).
As for the Second Set, they do not replace any existing terms and may simply be used as a template for future data processing agreements.
Whether the Old SCCs can be used in agreements currently being negotiated depends on when they are likely to be finalized. You can use the Old SCCs if the negotiations are finalized within the next three (3) months. At that point, the Old SCCs will be repealed.
The advantage of relying on the Old SCCs is, of course, their familiarity for organizations outside the EEA and UK. The New SCCs bring their own challenges with implementation and interpretation, particularly in the absence of any practical guidance from regulators on their use.
That being said, if the term of any agreement being negotiated is likely to last beyond December 2022, the Old SCCs will, in due course, need to be replaced with the New SCCs and so the parties may want to use the New SCCs now rather than set themselves up for a further amendment later.
That being said, for the large number of UK companies that also fall within the scope of the EU GDPR, transfers to non-EEA recipients that require an approved transfer mechanism will need to be made on the terms of the new First Set.
With that in mind, it would seem impractical (though not beyond the realms of possibility) for the ICO to reject the First Set altogether and require UK companies to use the Old SCCs or a new set of UK-specific clauses.