The New Standard Contractual Clauses: Scope, Impact, and Next Steps

On June 4, 2021, the European Commission published its new Standard Contractual Clauses (the “New SCCs”) for international transfers of personal data subject to the EU General Data Protection Regulation (“GDPR”). Although the New SCCs have been long-anticipated because the existing SCCs have not been updated in over a decade, the New SCCs also take into account the Court of Justice of the European Union’s decision in Schrems II issued last summer (discussed in our prior alert here), which struck down the EU-US Privacy Shield but upheld the validity of the existing SCCs, subject to risk assessments and implementation of supplemental safeguards. According to the European Commission, the New SCCs give greater legal certainty and flexibility to businesses that want to share data internationally and “address the realities faced by modern business.”

The New SCCs & Their Relationship to Schrems II 

The New SCCs incorporate the Schrems II decision’s requirements for risk assessments and supplemental safeguards, making these contractually binding requirements. Specifically, Section III of the New SCCs addresses the Schrems II decision’s primary concern with the existing SCCs—a lack of protection against access and use of transferred data by public authorities. The New SCCs require the data exporter and data importer to warrant that they have no reason to believe the laws in the country of destination for the transferred data will prevent the data importer from fulfilling its obligations under the New SCCs. The data exporter and data importer must cooperate on and document an assessment to support this warranty, which must be made available to EU supervisory authorities on request.

The New SCCs appear to take a risk-based approach to this assessment by permitting parties to consider different elements as part of their overall assessment of risk. For example, these elements could include practical experience with prior instances of requests for disclosure from public authorities. Practical experience should also be supported by other relevant, objective elements and be corroborated, and not contradicted, by reliable information that is publicly available or accessible, such as case law.

The New SCCs also set forth the obligations of a data importer when it receives a request for access, or becomes aware of access, by public authorities to personal data transferred pursuant to the New SCCs. Among other things, the New SCCs require a data importer to notify the data exporter and, where possible, the data subject, promptly following receipt of such a request for access or upon becoming aware of such access.

Scope & Composition of the New SCCs

While the New SCCs replace the existing SCCs, they share a common scope. Like the existing SCCs, the scope of the New SCCs is transferring personal data subject to the GDPR to recipients in countries that have not been deemed to provide adequate protection for personal data by the European Commission. However, unlike the existing SCCs, the New SCCs are designed to be more versatile. They take a modular approach, giving organizations the ability to tailor SCCs to specific circumstances. The New SCCs address four types of transfers: (1) controller-to-controller, (2) controller-to-processor, (3) processor-to-processor, and (4) processor-to-controller; whereas the existing SCCs only addressed controller-to-controller and controller-to-processor transfers.

Additional Changes in the New SCCs

The New SCCs’ modules also cover the contractual requirements for data processors found in Article 28 of the GDPR, which may streamline controller-processor contracting. However, organizations that want to specify data processing requirements beyond the scope of Article 28 will need to remember to incorporate such requirements into data processing agreements outside of the New SCCs.

The New SCCs include a “docking clause” that permits a third party to become a party to the New SCCs at any point in time, which should prove helpful for organizations, especially multinational organizations involved in acquisition and/or divestiture strategies.

Additionally, under the New SCCs, upon request and free of charge, data subjects must be provided with a copy of the SCCs, as completed by the parties to the SCCs for the applicable transfer(s). The parties to the New SCCs will need to complete three annexes attached to the Appendix of the New SCCs.

Annex I to the New SCCs must include:

  1. A list of parties to the SCCs, which may include many parties depending on the applicable modules;
  2. A description of the transfer(s), including the categories of data subjects, categories of personal data transfers, any sensitive data transferred and related safeguards, the frequency of transfer, the nature of the processing the purpose of processing, the retention period for the personal data, and, for transfers to sub-processors, the subject matter, nature, and duration of the processing; and
  3. The identity of the competent European supervisory authority for each party to the SCCs.

Annex II to the New SCCs should be completed by the data importer(s) to include a description of the technical and organizational measures implemented to ensure an appropriate level of security for the data transferred. Annex III must list the sub-processors used by the processor, if there is a specific authorization of sub-processors.

Transition Period

Organizations may continue using the existing SCCs for the next three months for new data transfers and data processing agreements, but after the three-month period must use the New SCCs for any new data transfers and data processing agreements. However, for some organizations, it may be more practical to immediately integrate the New SCCs into any new data processing agreements as well as agreements currently being negotiated. Furthermore, the Schrems II requirements for a risk assessment and supplemental safeguards still apply now as a result of the Schrems II decision. For contracts that currently rely on the existing SCCs, there is an 18-month grace period before organizations will be required to rely on the New SCCs.

Next Steps & Moving Forward

Organizations should refer back to their data maps and start identifying all data transfers reliant on the existing SCCs and the type of transfer being undertaken (i.e., controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller).

Next, organizations should review existing data processing agreements and work with their counterparts under these agreements to amend, and potentially consolidate, applicable agreements to incorporate the appropriate module(s) of the New SCCs.

If you need assistance complying with the New SCCs or have any questions regarding these developments, please contact one of the authors or another one of our Cybersecurity & Data Privacy attorneys.

Special thanks to Cyrie T. Wilson for her contributions to this article.