The European Commission has recently issued an implementing decision on the adoption of new sets of standard contractual clauses (SCCs) for the transfer of personal data to countries outside the European Economic Area (EEA). This requires organizations to use the new SCCs from 27 September 2021. To meet their obligations under the General Data Protection Regulation (GDPR), firms now need to make technical and organizational changes, by the December 2022 deadline. 

An equal level of protection for cross-border data transfers

In the European Union (EU), the General Data Protection Regulation or GDPR determines the rules for processing personal data. It aims to provide an equal, high level of protection of personal data for all data subjects (individuals) in the EU, regardless of the location where the personal data is processed. In those situations where the personal data is processed in the EEA, GDPR applies directly and adherence to the principles is mandatory. However, where an organization has transferred personal data to a processor or other recipient outside the EEA, i.e. ‘cross-border data transfers’, GDPR may not apply directly. In these cases, other legal mechanisms must be adopted to guarantee an equal level of data protection for EU data subjects.

The article focuses the use of SCCs for cross-border transfers of personal data, which were updated in June 2021.

What is the reason for this legislative change?

Organizations have used SCCs since 2001, under the Directive on Protection of Personal data of 1995, with updates in 2004 and 2010. With the application of GDPR in 2018, the existing sets of SCCs became somewhat outdated. In addition, they no longer facilitate the complex relationships between controllers and processors.

In its Decision, in the so called Scherms II judgment, the Court of Justice of the European Union (ECJ) invalidated the EC Decision on the EU-US Privacy Shield. From 16 July 2020, organizations can no longer rely on the EU-US Privacy Shield schedule to transfer personal data to recipients located in the United States. Consequently, firms would rely on SCCs or adopt Binding Corporate Rules for such transfers. To ensure that firms implemented the necessary technical and organizational measures to provide an equal level of data protection, the ECJ decided that a Data Transfer Impact Assessment (DTIA) must be carried out where this not guaranteed. This requirement is included in the new SCCs.

The concept of standard contractual clauses 

SCCs are a contract addendum with provisions governing the handling of personal data. The express language of SCCs has been preapproved by the European Commission to be used in a contract for lawfully transferring such data from the European Union/European Economic Area to other countries deemed to have less-stringent data privacy laws. SCCs are heavily relied upon to facilitate international data transfers and global business activities. 

Key changes within the SCCs

The ECJ Decision in the Schrems II judgment on international data transfers has been taken into consideration for the new SCCs, together with the need to align the former SCCs with GDPR and bring them up to date with developments in the digital economy. This includes the following:

• Modular structure: The new SCCs feature a modular structure of clauses that data exporters will use, based on the nature of their roles and responsibilities in relation to the data transfer in question:

1. Controller-to-controller transfers (C2C)
2. Controller-to-processor transfers (C2P)
3. Processor-to-processor transfers (P2P): new since 2021
4. Processor-to-controller transfers (P2C): new since 2021

• GDPR alignment: The new SCCS closely align with the terminology and provisions of GDPR and have incorporated the requirements of Article 28 GDPR into the C2P and P2P modules.
  
  
• Docking clause: The new SCCs facilitate multi-party configurations by allowing new parties to accede to the international data transfer agreement between the existing parties throughout the lifecycle of the agreement. Where the organization wants to make use of this configuration, the data processing agreement should refer to it.
  
  
• Data transfer impact assessment (DTIA): The new SCCs specify the requirement to conduct a transfer impact assessment. Data exporters and data importers need to assess whether the laws and practices of the third country pose a barrier to the data importer’s compliance with the new SCCs. The new SCCs list certain matters that need to be taken into account in that regard, ranging from the circumstances of the transfer to the nature of the parties and personal data involved, and from the laws and practices of the third country of destination to the existence of any supplementary measures. These factors can change in time, meaning this should be a recurring exercise. The European Data Protection Board’s (EDPB) Recommendations and the Essential Guarantees provide additional guidance on these aspects of the assessment.
  
  
• Active accountability: The new SCCs make it clear that data exporters and data importers need to be able to demonstrate compliance with the new SCCs from the outset and on an ongoing basis. The new SCCs lay down the obligations for the data exporter and data importer. For example, the data importer’s obligations to perform a legality review and its notification and documentation obligations when it receives a legally binding request to access personal data from competent authorities.
  
  
• Explicit data subject rights: The new SCCs now explicitly mention that, upon request, data subjects must be provided with a copy or a meaningful summary of the international data transfer agreement. In addition, they need to be notified in the event of a high-risk data breach as well as of any access request by competent authorities (if permitted).

Enforcement

To sum up, the European Commission issued an implementing decision on standard contractual clauses on 4 June 2021 for the transfer of personal data to countries outside the European Economic Area, including the United Kingdom. As a result:

• From 27 September 2021, any cross-border data transfer that relies on the SCCs as a legal transfer mechanism will need to be based on the new SCCs. In addition, if an amendment is made to an existing data transfer agreement from this date, the former SCCs will need to be replaced by the new SCCs.
  
• By 27 December 2022, the new SCCs need to be incorporated into all cross-border data transfer agreements, irrespective of when these agreements were concluded. Any existing agreements incorporating the former SCCs must be replaced by this date.

Next steps

To achieve timely compliance, we recommend that organizations ensure that the following actions are carried out:

From 27 September 2021

• Review or obtain professional legal briefing regarding the new SCCs to understand whether any internal administrative or technical changes must be implemented in order to enter into the new SCCs with contracts
• Inform stakeholders and partners about legal implications and recommendations, invest in training and explore opportunities for automation
• Prepare and update DPAs and new SCCs for contract forms and templates
• Perform TIA for new and existing cross border data transfers
• Identify all current contracts with partners that rely on the old SCCs for data transfers, including those involving sub-contractors.

Before 27 December 2022

• Identify contracts reflecting processor-to-controller or processor-to-processor relationships – scenarios not previously accounted for – to determine if new SCCs are necessary even though no SCCs are currently in place
• Communicate with counterparties and enter into contract negotiations to ensure timely adoption of the new SCCs.

How Capco can help 

The implementation of the new standard contractual clauses will require the involvement of people with an expertise in data protection law, information security and third-party management. Capco’s ICT-risk practice combines these areas of expertise to offer its clients a 360° approach. More specifically, our practice can:

• Provide SCCs-templates for the four modular structures described above and guided instructions to complete the SCCs
• Perform Data Transfer Impact Assessment (risk-based), taking into account the current technical and organizational best practices
• Manage change and the associated stakeholder training (e.g. management, business owners, legal, etc)
• Mitigate data protection risks arising from using third parties
• Explore opportunities for automation

Capco has extensive experience in ensuring that cross-border transfer of personal data is managed in full compliance. 

Contact us to discuss how we can help your organization successfully implement new SCCs in time for the EU’s decision deadline. 

AUTHOR

Guy Klerkx, Manager Consultant
Yasmine Verkooijen, Consultant

CONTACT

Alexandre Vandeput, Principal Consultant
M: +32 499 755 200
E: alexandre.vandeput@capco.com