Very recently in June 2021, the European Commission released a set of new standard contractual clauses (SCCs). Two different sets of clauses have been released. One pertains to the processing of personal information between data controllers and data processors subject to the GDPR. The other set of clauses governs the transfer of personal information to third countries outside the European Union.
The new clauses came into effect on June 27, 2021. However, organizations are allowed to continue under the existing SCCs for their existing data transfers until September 27, 2021, after which the new SCCs must be implemented for all new data transfers. Organizations also have a grace period of 18-months, up to December 27, 2022, during which they can migrate any existing SCC arrangements to the new clauses.
New standard contractual clauses for transfer between data controllers and processors
Under the GDPR, certain compulsory clauses must be included in all contracts between data processors who process the personal information of EU residents for data controllers. Prior to this, organizations were responsible for drafting their own clauses for contracts defining the controller-processor obligations under the GDPR.
The new mandatory SCCs will bring more uniformity and stability to these dealings. Organizations can still create their own terms of the agreement as long as they include the compulsory clauses under the GDPR.
The new SCCs take a modular approach to the clauses that organizations must use based on their roles in the data transfer.
- Module 1 is controller-to-controller transfers
- Module 2 is controller-to-processor transfers
- Module 3 is processor-to-processor transfers
- Module 4 is processor-to-controller transfers
The controller, in this regard, is the party that owns the data and decides how the personal information will be used and processed. The processor is a service provider entrusted with the job of processing the data as needed for the controller.
The new SCCs differ from the previous SCCs in that the older clauses did not cover processor-to-processor or processor-to-controller transfers. This left a gap in ensuring lawful and compliant data transfers.
This is also the first time that the possibility of the data exporter being a non-EU enterprise has been considered.
New standard contractual clauses controlling data transfer to third countries under the GDPR
The GDPR provides some of the strictest data privacy and protection laws in the entire world. But many other countries do not follow the same data privacy rules and any personal information leaving the EU for use in other countries is at a risk. The EDPB had to ensure that all the information going out of the EU to other countries was protected by the same standards as those guaranteed within the EU by the GDPR. If this is overwhelming for organisations without vast resources then an outsourced managed service may be the answer.
Other countries like the U.S. were so far using two primary methods for ensuring data protection when importing data from the EU. These were –
- The European Commission’s Standard Contractual Clauses implemented under the European Union Directive 95/46/EC (prior to the GDPR).
- The EU-US Privacy Shield.
The Privacy Shield was found to be inadequate by the Court of Justice of the European Union (CJEU) in the Schrems II decision. It did not satisfy GDPR’s protection requirements for transferring personal data.
The new SCCs have tried to address this issue. Under the new SCCs –
- The clauses retain the principles stated in the existing SCCs
- The SCCs require all parties to warrant that there is no reason the laws and practices in the third country that prevent the data importers from fulfilling their obligations under the SCCs.
- Data exporters are responsible for assessing the risk of transferring data to the destination country, considering the third country’s relevant laws and practices, and relevant safeguards in place to supplement the SCCs if needed.
- Data importers have extensive obligations related to disclosure requests from public authorities in their country, including notifying the data exporter, assessments of the legality of disclosure requests, challenging disclosure requests, etc.
- Technical and organizational measures must be in place to protect transferred personal data, along with ongoing monitoring of these measures to ensure their adequacy.
The new SCCs are not applicable as a data transfer mechanism under the UK data protecting regime though. For data transfer from the UK, they may rely on the existing SCCs.
Organizations need to prepare to include the new SCCs in all their new data transfer contracts. A thorough assessment can help you define the applicable roles as controller, processor or sub-processor to plan the migration process better. Conduct an extensive risk assessment and make sure that you have supplementary measures in place to improve data governance and transparency. This will ensure you don’t have to worry about compliance at any step.