15 July 2021

Client Update: New Standard Contractual Clauses Released

15 July 2021

Client Update: New Standard Contractual Clauses Released

Overview

On June 4, 2021 the European Commission released two new sets of Standard Contractual Clauses (Standard Clauses or SCC), which can be used to govern transfers of personal data under the General Data Protection Regulation (GDPR). The prior versions of the Standard Clauses, which are currently in use to allow for transfers of personal data out of the European Economic Area to countries without an 'adequate' level of protection for personal data (Adequacy Decision), will gradually be phased out and will need to be replaced by the revised versions. While the revised SCCs allow for more flexibility in contracting than the prior versions, they also include increased documentation and security requirements, which present a greater compliance burden. 

Data Transfers Background

Under the GDPR, personal data relating to data subjects from the European Economic Area (EEA) may only be transferred out of the EEA under certain conditions. Personal data may be transferred to a country deemed to have an Adequacy Decision from the European Commission, such as Israel, without additional measures in place. However, when transferring data to a country without an Adequacy Decision, such as the US, additional measures are needed. Until July 2020, transfers to the US were permitted under the EU-U.S. Privacy Shield framework. This mechanism was invalidated under the 'Schrems II' decision of the European Court of Justice. The Schrems II decision clarified that Standard Clauses (released before the GDPR was enacted) may continue to be used, provided that the controller is responsible for: (i) ensuring that the data protection laws in the recipient country are adequate and (ii) proper safeguard of personal data, including by instituting additional data protection mechanisms as needed. Suggested measures include certain types of encryption, pseudonymization, and anonymization.

Revised Standard Contractual Clauses – What's New?

Two new versions of the SCC were released, one of which is intended to govern transfers of personal data between controllers and processors generally and an additional version which allows for transfers of personal data out of the EEA. The new versions take into account the requirements of the GDPR as well as the interpretation of the Schrems II decision.

The new versions of the SCC provide flexibility and allow for use in various transfer scenarios. While the prior version only allowed for transfers from controllers to processors or between two controllers, the new version allows for transfers from processors to sub-processors and from processors to controllers and also allows for the possibility of transfers among multiple parties.

Under the new SCC, the data exporter must warrant that it has used reasonable efforts to determine that the data importer will be able to comply with the requirements of the SCCs. Both parties are required to warrant that they have no reason to believe that local laws in the recipient country would prevent them from fulfilling their obligations under the GDPR.

Along with these additional warranties, the new SCC have greatly increased documentation requirements. While the GDPR and the Schrems II decision required that parties investigate the applicable law in the recipient country and implement technical measures to ensure an adequate level of security, the new SCCs require that such efforts be documented and made available upon request to the data exporter, controller or regulator. Data importers are required to set out in specific detail the technical and organizational measures used to protect personal data involved in the transfer.

Concern over governmental inquiries in the recipient country that would require access to personal data led to the invalidation of the EU-U.S. Privacy Shield. The new SCC require that, where possible, if a request is received from a governmental authority or in case of any direct access by public authorities to such personal data, the data importer shall notify the data exporter and data subjects, review the request, and under some circumstances, challenge the request.

Timeline

  • The new SCCs entered into force as of June 27, 2021.
  • The prior versions may continue to be signed until three months from that date, i.e. September 27, 2021.
  • Following September 27, 2021, the prior versions of the SCC may no longer be signed, however, if they are already implemented, they may continue in force for a period of 15 months until December 27, 2022. 
  • After December 27, 2022, the prior SCCs must be replaced with the revised versions. 

Recommendations

  • Data Mapping – Organizations should have a clear picture of how data flows; from which jurisdictions personal data is collected, to which countries it transfers personal data, and what mechanisms are currently being used to allow for such transfers.
  • Review Contracts – As part of the data mapping process, existing contracts relying on the older form of Standard Clauses should be identified, as these will need to be replaced by the end of December 2022. 
  • Documentation of Security Policies – To the extent an organization transfers data to parties outside of the EEA, the security measures currently in place should be documented and reviewed, including the relevant laws of countries of recipients outside the EEA. To the extent an organization serves as a processor on behalf of controllers, it should consider how to best reflect its current security practices in writing in order to be prepared for future requests for documentation. Additional security measures should be implemented to the extent required.

Subscribe for updates and news