CLS Blue Sky Blog

Davis Polk Discusses New Standard Contractual Clauses for Moving Personal Data Outside the EU

On June 4, 2021, the European Commission (“EC”) released a final working draft, along with its implementing decision, for a new set of Standard Contractual Clauses (“New SCCs”) for the transfer of personal data to countries outside of the European Economic Area (“EEA”) whose laws the EC has determined do not provide an adequate level of data protection.  In this memo we highlight three key developments that contracting parties should be aware of with regard to the New SCCs: (i) the timing for implementation, (ii) the new modular approach and additional use cases covered, and (iii) updates intended to address the concerns raised in last year’s noteworthy Schrems II decision by the Court of Justice of the European Union (“CJEU”).

Background

The EC had previously released an initial draft of proposed New SCCs in November 2020, on which the European Data Protection Board (“EDPB”), the European Data Protection Supervisor, the European Union (“EU”) member states, and other constituencies gave input. The currently approved Standard Contractual Clauses (“Old SCCs”) were last updated in 2004 (for data transfers from EEA controllers to non-EEA controllers) and 2010 (for data transfers from EEA controllers to non-EEA processors), in both cases prior to the passage of the EU’s General Data Protection Regulation (“GDPR”).

For the full text of the EC’s implementing decision and the New SCCs, click here.

For an unofficial redline comparing the New SCCs with the November 2020 proposed draft, click here.

Highlights & Takeaways

In light of the EU’s adoption of the GDPR, last year’s Schrems II decision by the CJEU, and the general growth and modernization of the digital economy, the EC has sought to significantly update and augment the Old SCCs to reflect the legal requirements on data transfers under the GDPR while at the same time providing more certainty and flexibility to contracting parties.  Below are three key developments that contracting parties should be aware of with regard to the New SCCs:

            Takeaway: Parties currently negotiating an agreement that utilizes Standard Contractual Clauses may continue to use the Old SCCs as long as the agreement is executed prior to September 27, 2021 and the conditions noted above are met.  Given many parties’ familiarity with the Old SCCs, there may be advantages in relying on the Old SCCs for the time being, particularly for shorter term arrangements that are likely to expire or be renegotiated prior to December 27, 2022.  However, parties should be mindful that longer term arrangements utilizing the Old SCCs will need to be amended prior to December 27, 2022 at the latest, and the New SCCs will need to be implemented sooner where the conditions noted above are not satisfied.

            Takeaway: While significantly updating the Old SCCs in a variety of ways with which companies will need to become familiar, the New SCCs do provide increased flexibility and utility by covering more transfer scenarios. They also should simplify contracting, as the New SCCs cover Article 28 requirements for applicable controller to processor and processor to (sub)processor transfers.

The New SCCs also provide for detailed provisions around the steps the data importer must take if it receives an access request from a public authority, including notifying the data exporter (where legally permitted), and seeking waivers or challenging requests where appropriate.  Where the laws and practices applicable to the data importer prevent it from complying with the safeguards provided under the New SCCs, the New SCCs also permit the data exporter to suspend the data transfers and terminate the relevant contract with the data importer insofar as it concerns the processing of personal data under the New SCCs.

            Takeaway: The new provisions that are intended to address the concerns raised in the Schrems II decision are among the more significant updates reflected in the New SCCs.  While imposing specific ongoing obligations, they also provide greater clarity on the nature and scope of the assessment that parties must undertake in connection with their international transfers in light of Schrems II.  However, while these provisions provide useful guidance, they are not the end of the analysis, as the EDPB is set to release its final recommendations addressing Schrems II in the coming days.  To get a complete picture, controllers and processors will need to see how the EDPB’s recommendations intersect with the requirements under the New SCCs.

This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s memorandum, “Highlights & Takeaways: European Commission issues new standard contractual clauses,” dated June 7, 2021, and available here.

Exit mobile version