Since 1995, the EU has used various sets of Standard Contractual Clauses (SCCs) to provide a legal basis for safeguarding the transfer of personal data from a country within the European Economic Area (EEA) to a non-EEA country through their inclusion in contracts dealing with such transfers.
The purpose of SCCs is to help EU personal data retain EU-like protection following its transfer to countries the EU considers as lacking in suitable data protection measures. Use of the SCCs is voluntary and demonstrates compliance with data protection requirements."
The latest version of SCCs was adopted by the EU in June 2021, with many useful details about them provided in its SCCs questions and answers guide. Organisations committed to using SCCs in their data transfer contracts were required to start using the new SCCs from 1 September 2022 in any new agreements with a data transfer component.
By 27 December 2022, all such then-active agreements must have been updated to adopt the new SCCs.
This article provides a brief overview of the new SCCs, covering:
- Key SCC definitions
- How SCCs work
- Features of the new SCCs
- Operational consequences of using the new SCCs
Key SSC definitions
Some specific terminology has been developed for the SCCs as shorthand for describing who does what in terms of complying with EU data protection law.
- Controller: the individual or legal person who determines the purposes for and the means by which personal data is processed
- Processor: the individual or legal person who processes personal data on behalf of the controller
- Sub-processor: a third-party processor, engaged by a processor, who has or will have access to or process personal data from a controller
- Data exporter: the individual or legal person transferring the personal data
- Data importer: the individual or legal person receiving the personal data.
How SCCs work
SCCs are standardised and pre-approved model data protection clauses developed by the EU to allow controllers and processors to comply with their obligations under EU data protection law.
SSCs can be incorporated by controllers and processors into their contractual arrangements with other parties to provide more legal certainty about those obligations.
Because the text of the Standard Contractual Clauses has been pre-approved by the EU, it cannot be altered in any way. Doing so will remove reliance on the legal certainty offered by the EU regulations.
Additional clauses may be added to supplement the SCCs, likely operational in nature but not necessarily, but they must not contradict the SCCs in any way or prejudice the rights of data subjects.
As data exporters, SCCs need to be implemented in contracts when:
- The personal data to be transferred is protected by EU regulations
- The data importer is an individual or legal person outside the data exporter’s organisation and located in a country not approved by the EU as having a suitable level of protection for personal data.
In such cases, SCCs eliminate the need for data exporters to obtain a prior authorisation from a data protection authority for a data transfer or the use of alternative non-SCC clauses in their contracts.
As data importers, especially those who act as controllers after receiving the data, their obligations deriving from the SCCs require implementation of data protection safeguards similar to the EU’s, regardless of the regulations that pertain in their local jurisdiction.
The parties to the SCCs need to conduct and document a transfer impact assessment to evaluate the circumstances of the data transfer and check that the data importer’s local laws and practices do not prevent it from complying with the SCCs, and make the documentation available to the competent supervisory authority upon request.
Features of the new SCCs
Different data transfer situations have different requirements. The SCCs cater for four such situations by the use of modules of clauses for each, based on the role and location of the data exporter and the data importer respectively:
- Module 1: EEA country controller to non-EEA country controller
- Module 2: EEA country controller to non-EEA country processor
- Module 3: EEA country processor to non-EEA country processor or sub-processor
- Module 4: EEA country processor to non-EEA country controller.
It is vital for the data exporter and the data importer to agree on which role each plays in the data transfer, rather than just assume what those roles are. That helps to ensure that only the SCC clauses associated with the relevant module are used.
Some SCC clauses provide extra options that may be included or deleted, others require the input of relevant information such as governing law and choice of forum and jurisdiction.
Each module also contains an annex to be completed by the parties to the contract, to provide their individual details and fully describe the nature, purpose and other details of the data transfer.
Operational consequences of using the new SCCs
To stay on the right side of the EU’s laws and do that as effectively as possible, the data exporter has to:
- Establish new contracts with its data importers that incorporate the new SCCs
- Maintain current awareness of the state of relevant laws and practices in the destination countries of its data importers to reveal any changes that will prevent the data importer from complying with the SCCs
- Promptly suspend data transfers to data importers in such countries to prevent their non-compliance with their own applicable laws
- Map all the situations it has in place regarding contractual transfer of EEA-based personal data outside of the EEA, and also other incidental transfers like backups or fallbacks to data centres outside the EEA.
On the other hand, it is really important for the data importer to:
- Ensure that its systems and processes are suitable for handling data subject access to their own personal data, including requests for erasure of that data and other rights, as well as achieving compliance with the new SCCs
- Understand its responsibilities related to the onward transfer of received personal data to sub-processors
- Notify the data exporter, and the data subjects when possible, in the event of an intended or actual access to personal data by a public authority, and review the legality of the authority’s request for disclosure
- Notify data subjects about any high-risk breaches of their personal data suffered by the data importer
- Consider how to identify and eliminate or mitigate any inherent internal or external risk potential associated with implementation of the new SCCs.
These activities could be operationally burdensome and financially difficult to implement.
For both sides, close collaboration with their own Legal teams is likely to be necessary to understand the EU’s regulations and the data importers’ local laws. Collaboration will also minimise oversights, and allow teams to develop practical approaches to operating with the new SCCs in their current form and as they develop over time. Any number of scenarios can occur where legal advice with respect to the SCCs should be sought.
Similar collaboration with their own technology teams will almost certainly be necessary to ensure that as much automation as is practical and achievable is available to help manage compliance with the SCCs and applicable regulation.
Keeping up with regulatory change is almost as difficult for organisations these days as complying with the applicable regulations. While such change is to be expected, and its arrival generally advised well in advance, it can be a challenge to be ready in time. That challenge needs to be overcome.
Good planning, strong attention to detail, comprehensive records of applicable contracts, adequate resourcing, a bit of agility and a healthy fear of failure can be a big help.
In particular now, organisations need to recognise that the business of cross-border data transfers is nowhere near done, not for the EU with Schrems II still in play, or in any of the many other jurisdictions around the world currently wrestling with the problem.
The supervisory authorities just about everywhere are giving the protection of personal data particular attention these days, both within and across jurisdictions. They are all disinclined to accept excuses from organisations for failing in their obligations to adequately protect personal data, so punishment for transgressors is likely to be stiff.
Revisiting contracts involving the transfer of personal data between jurisdictions to keep up with regulatory changes like the SCCs is going to be like groundhog day for many organisations who need to do it.
Roger Voudouris once sang ‘you better get used to it’, and that’s probably the only way to deal with the impending wave of data protection regulation that’s looming.
If you would like more information about how to identify all your contracts that need their SCCs updated, or how Gatekeeper can assist with that activity, then contact us today.