The European Commission released its new Standard Contractual Clauses (SCCs) for cross-border transfers under the GDPR on 4 June 2021.
The new SCCs
In order to transfer personal data to recipients outside the European Economic Area (EEA), the transfer rules in the GDPR must be complied with. The SCCs are one of the most commonly used mechanisms for doing so. They are a standard set of contractual terms which the sender (the exporter) and recipient (the importer) sign up to and which look to protect personal data leaving the EEA.
The old SCCs were no longer fit for purpose and had long needed an overhaul for a number of reasons. The new SCCs were updated to:
• Allow for various data flows. There are now four modules to the SCCs:
o controller to controller
o controller to processor
o processor to processor
o processor to controller
• Give the clauses a GDPR ‘face lift’ as the old SCCs were based upon the now replaced Data Protection Directive
• Introduce a “docking” clause which enables new exporters and importers to accede to the SCCs. These multi-party SCCs are particularly useful for intra-group arrangements, and
• Address the requirements of the Schrems II judgement such as by addressing governmental disclosure and access requests and by providing for robust rights for data subjects.
The new SCCs are broadly similar to the initial consultation draft, but there are some significant differences. For instance, the controller’s audit right in the processor to processor module was significantly diluted and the controller need no longer be identified in the annex for that module either which was impractical. Notably, the new SCCs retain the “risk based” approach to transfer impact assessments.
We are seeing service providers that operate at scale moving quickly to adopt the new SCCs as they address a number of the issues raised in Schrems II and, consequently, make their transfer postures more robust. The introduction of the processor to processor module is also significant as it means that European based processor service providers no longer need to put SCCs in place between their EU customers and US parent due to the absence of the processor to processor module. This is a significant benefit given the SCCs exposed the US parent to contractual claims by customers and data subjects. It also facilitates less customer friction as customers are a step removed from the transfer mechanism and has other advantages too.
However, there is an operational lift in moving to the new SCCs given the detailed requirements that the importer must comply with under them.
When must you start using the new SCCs?
The new SCCs can be used from 27 June 2021.
They must be used for any new contracts concluded on and from 27 September 2021. This effectively means that service providers with standard online terms need to move to the new SCCs by then given that they will enter into contracts with new customers on a daily basis.
If you already have old SCCs in place, you can, in principle, continue to rely upon them until 27 December 2022 for transfers covered by the SCCs already concluded. However, this is provided that you do not change the processing operations that are the subject matter of the contract (the qualifier). This qualifier is presenting challenges for service providers that operate at scale due to the uncertainty it creates, and it is resulting in companies moving more quickly to the new SCCs than they may have otherwise.
Third party rights
The SCCs permit the parties to choose an EU Member State’s law as the governing law for the SCCs. This is provided that such country’s law allows for third party beneficiary rights. This ensures that data subjects can enforce the third party beneficiary rights granted to them under the SCCs.
Many international businesses base their EU operations from Ireland and rely on SCCs for their global data exports from the EU. As a result, their SCCs are typically governed by Irish law. However, third party beneficiary rights do not generally exist under Irish law due to the principle of “privity of contract”. This principle means that only the parties who directly agree to a contract can enforce it. As a result, companies were exploring innovative means to introduce third party rights under the SCCs like deed poll and agency models.
However, a new Statutory Instrument has now been introduced which amends the Irish Data Protection Act 2018 (the DPA) by providing third party beneficiary rights for data subjects under SCCs (including the old SCCs), as well as BCRs (binding corporate rules). This addresses the gap in the law that resulted from the failure to carry through section 11(6) from the old DPA when the DPA was introduced. Section 11(6) had granted third party beneficiary rights under the SCCs. Significantly, the legislative amendment does not grant anyone other than data subjects third party beneficiary rights. This is notable as in some Member States there is a view that supervisory authorities and, where the processor to processor module is used, controllers (i.e. customers) can also contractually enforce the SCCs as third party beneficiaries.
The new SCCs are effective from 27 June 2021 and provide a more robust and flexible means for making data transfers. Helpfully, the new Irish legislative amendment makes clear that companies can choose Irish governing law for the new SCCs.
For more information, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.