Davis Polk Discusses New Standard Contractual Clauses for Moving Personal Data Outside the EU

On June 4, 2021, the European Commission (“EC”) released a final working draft, along with its implementing decision, for a new set of Standard Contractual Clauses (“New SCCs”) for the transfer of personal data to countries outside of the European Economic Area (“EEA”) whose laws the EC has determined do not provide an adequate level of data protection.  In this memo we highlight three key developments that contracting parties should be aware of with regard to the New SCCs: (i) the timing for implementation, (ii) the new modular approach and additional use cases covered, and (iii) updates intended to address the concerns raised in last year’s noteworthy Schrems II decision by the Court of Justice of the European Union (“CJEU”).

Background

The EC had previously released an initial draft of proposed New SCCs in November 2020, on which the European Data Protection Board (“EDPB”), the European Data Protection Supervisor, the European Union (“EU”) member states, and other constituencies gave input. The currently approved Standard Contractual Clauses (“Old SCCs”) were last updated in 2004 (for data transfers from EEA controllers to non-EEA controllers) and 2010 (for data transfers from EEA controllers to non-EEA processors), in both cases prior to the passage of the EU’s General Data Protection Regulation (“GDPR”).

For the full text of the EC’s implementing decision and the New SCCs, click here.

For an unofficial redline comparing the New SCCs with the November 2020 proposed draft, click here.

Highlights & Takeaways

In light of the EU’s adoption of the GDPR, last year’s Schrems II decision by the CJEU, and the general growth and modernization of the digital economy, the EC has sought to significantly update and augment the Old SCCs to reflect the legal requirements on data transfers under the GDPR while at the same time providing more certainty and flexibility to contracting parties.  Below are three key developments that contracting parties should be aware of with regard to the New SCCs:

  • Timeline for Implementation: The New SCCs take effect on June 27, 2021, and the Old SCCs are repealed with effect from September 27, 2021. However, for contracts entered into prior to September 27, 2021 using the Old SCCs, controllers and processors may continue to rely on the Old SCCs until December 27, 2022, subject to the following conditions: (i) the processing operations that are the subject matter of the relevant contract remain unchanged, and (ii) reliance on the Old SCCs ensures that the transfer of personal data is subject to appropriate safeguards under the GDPR.

            Takeaway: Parties currently negotiating an agreement that utilizes Standard Contractual Clauses may continue to use the Old SCCs as long as the agreement is executed prior to September 27, 2021 and the conditions noted above are met.  Given many parties’ familiarity with the Old SCCs, there may be advantages in relying on the Old SCCs for the time being, particularly for shorter term arrangements that are likely to expire or be renegotiated prior to December 27, 2022.  However, parties should be mindful that longer term arrangements utilizing the Old SCCs will need to be amended prior to December 27, 2022 at the latest, and the New SCCs will need to be implemented sooner where the conditions noted above are not satisfied.

  • Modular Approach with Additional Use Cases: While the Old SCCs address applicable international data transfers from (i) EEA controllers to non-EEA controllers and (ii) EEA controllers to non-EEA processors, the New SCCs also address transfers from (iii) EEA or non-EEA processors to non-EEA (sub)processors and (iv) EEA or non-EEA processors to non-EEA controllers. This is achieved through a modular approach, which allows parties to select the right clauses for the transfers in question.  As with the Old SCCs, the New SCCs can be incorporated into a broader contractual arrangement, as long as any additional provisions do not conflict with the New SCCs or prejudice the rights of data subjects; unlike the Old SCCs, the New SCCs are compliant with Article 28 of the GDPR for controller to processor transfers and processor to (sub)processor transfers, so contracting parties do not need to enter into separate data processing agreements (in addition to the New SCCs) under those transfer scenarios.  The New SCC’s also include a “docking clause” that allows additional parties to join an existing set of New SCCs at a later date by executing a specified annex.

            Takeaway: While significantly updating the Old SCCs in a variety of ways with which companies will need to become familiar, the New SCCs do provide increased flexibility and utility by covering more transfer scenarios. They also should simplify contracting, as the New SCCs cover Article 28 requirements for applicable controller to processor and processor to (sub)processor transfers.

  • Addressing Schrems II: Last year’s Schrems II decision by the CJEU upheld the validity of Old SCCs, but requires data exporters and importers to evaluate, on a case-by-case basis, whether the laws of the relevant third country impinge on the data protection measures provided for in the GDPR. The New SCCs contain updates to hold exporters and importers to the standards set out by the CJEU.  Most notably, the New SCCs require the parties to warrant that, at the time of signing, they have no reason to believe that the laws and practices applicable to the data importer in the third country would prevent the data importer from fulfilling its obligations under the New SCCs.  In making this warranty, the parties must document an assessment taking into account the following:
    • the specific circumstances of the transfer (g., the purpose of processing, the categories of personal data involved, the type of recipient, the economic sector in question);
    • the laws and practices of the third country of destination (including taking into account relevant documented practical experience of the parties as well as “reliable” information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies); and
    • any relevant contractual, technical or organizational safeguards that have been put in place to supplement the safeguards under the New SCCs.

The New SCCs also provide for detailed provisions around the steps the data importer must take if it receives an access request from a public authority, including notifying the data exporter (where legally permitted), and seeking waivers or challenging requests where appropriate.  Where the laws and practices applicable to the data importer prevent it from complying with the safeguards provided under the New SCCs, the New SCCs also permit the data exporter to suspend the data transfers and terminate the relevant contract with the data importer insofar as it concerns the processing of personal data under the New SCCs.

            Takeaway: The new provisions that are intended to address the concerns raised in the Schrems II decision are among the more significant updates reflected in the New SCCs.  While imposing specific ongoing obligations, they also provide greater clarity on the nature and scope of the assessment that parties must undertake in connection with their international transfers in light of Schrems II.  However, while these provisions provide useful guidance, they are not the end of the analysis, as the EDPB is set to release its final recommendations addressing Schrems II in the coming days.  To get a complete picture, controllers and processors will need to see how the EDPB’s recommendations intersect with the requirements under the New SCCs.

This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s memorandum, “Highlights & Takeaways: European Commission issues new standard contractual clauses,” dated June 7, 2021, and available here.

Leave a Reply

Your email address will not be published. Required fields are marked *