On 4 June 2021, the European Commission adopted new standard contractual clauses (EU SCCs) for those transfers of personal data to third countries which are governed by the General Data Protection Regulation 2016/679 (GDPR)¹, together with a new set of standard contractual clauses to be used between controllers and processors pursuant to the requirements of Article 28 GDPR.

This briefing focuses on the EU SCCs, how they work, how they should be used, and issues to watch out for.

^{1 References to GDPR in this briefing are to the EU GDPR as opposed the UK GDPR} 

Once they come into effect, and subject to a grace period (see below), the new EU SCCs must be used whenever the parties determine that their appropriate safeguarding mechanism is standard contractual clauses. In contrast, whether a controller and a processor use the EU's approved new Article 28 standard contractual clauses, or use their own set of drafted clauses meeting Article 28 requirements, will be for them to choose although it is expected that the EU version will encourage greater standardisation.

The EU SCCs were published in the Official Journal on 7 June and will take effect on 27 June 2021. Organisations can start using them from this date.

The existing SCCs will remain valid until they are repealed on 27 September 2021. Therefore, until this date, they can still validly be used in respect of transfers to third countries, though if it is expected that transfers under such arrangements will continue past the end of the grace period referred to below, then parties may wish to consider heading straight for the new EU SCCs to govern their arrangement.

There is an 18 month grace period for organisations to transition any arrangements based on the existing SCCs, to the new EU SCCs, which will last until 27 December 2022. This is provided that the underlying processing operations for which the existing SCCs were put in place do not change; if they do, then the new EU SCCs should be put in place to cover the processing from that point on.

The EU SCCs only apply where a data exporter is subject to GDPR (which in certain circumstances and by virtue of the extra territoriality provisions of the GDPR, can extend to exporters which are located outside the EU). They can also only be used for data transfers where the data importer is not subject to GDPR. (The thinking being that an adequate level of protection for the data should already be in place, given that the importer is already subject to GDPR by virtue of the extra territoriality provisions in Article 3(2). However, this does not square with issues such as the ability of public authorities in the third country to access the data). However, as the recent Schrems cases demonstrates, the SCCs do not actually get around this concern either and the practical takeaway whenever data is being transferred out of the EEA (whether to an entity covered on an extra-territoriality basis or to one that has signed the SCCs), is that the data should only be transferred if necessary, should be minimised as much as possible and an assessment of appropriate additional security measures should be considered.

The EU SCCs will not apply to transfers of personal data from organisations which are subject to UK GDPR. In these circumstances, and until the UK Information Commissioner's Office (the ICO) has confirmed otherwise, a data exporter should continue to use the existing SCCs in respect of its data transfers to third countries, which is, of course, quite unsatisfactory for any international companies that operate in both the UK and the EU.

The EU SCCs are modular with certain clauses applicable depending on the role of the exporter and importer and whether they are a controller or processor.

Once the parties have identified which module applies to their transfer scenario, they can then ascertain which iteration of the various clauses will apply. 

Additional parties can be added to the SCCs provided that the original parties to the SCCs opted to include the optional docking clause. The docking clause allows an entity that is not an original party to the SCCs to be added after signing.

GDPR is reflected in the obligations which are imposed on the parties, and the data subject rights which the parties must adhere to. In short, this is going to create much more of a compliance burden for data importers in particular, which previously may not have been used to GDPR-style compliance and accountability.

Helpfully, the EU SCCs bake into data transfers between controllers and processors and transfers between processors, the requirements set out in Article 28 GDPR for agreements between controllers and processors, which means that the parties to such data transfer agreements won't need to complete a separate data processing agreement.

There is an appendix which includes annexes covering (i) the list of the parties, description of transfer and identity of the competent supervisory authority to which both parties must submit to the jurisdiction of; (ii) a specific description of technical and organisational measures used to support the data transfer and ensure the ongoing safety of the data; and (iii) a list of sub-processors (where applicable and where specific authorisation is to be agreed).

Clauses 14 and 15 of the EU SCCs seek to address one of the main themes which came out of the CJEU's judgement in Schrems II. In Schrems II, the CJEU highlighted the need for data exporters to verify, prior to a data transfer relying on SCCs, whether the laws and practices of the destination country provide adequate protection for the data being transferred – or an essentially equivalent level of protection to that afforded under EU law (for example, local surveillance laws may pose a risk to data subject rights). This was further supplemented by draft guidance released by the European Data Protection Board (EDPB) in November 2020 (a final version of these guidelines is expected to be released soon).

To this end, the EU SCCs include a mutual warranty, which applies to every module of the SCCs, that the parties have no reason to believe that the laws and practices of the third country would prevent the data importer from fulfilling its obligations under the SCCs, including its obligations to keep the data safe and comply with data subjects' rights. The clause sets out those factors that the parties should take into account when providing the warranty (which in many ways reflect the EDPB's draft guidance), including the specific circumstances of the transfer, the laws and practices of the destination country (including those requiring disclosure of data to public authorities), and any relevant contractual, technical or organisational safeguards put in place to supplement the SCCs.

Clause 15 deals with attempts by public authorities to access the data. If there is an attempt by a public authority to access the data, the EU SCCs require the data importer to:

1. immediately notify the data exporter on receiving a legally binding request for disclosure from a public authority, or on becoming aware of a public authority gaining direct access to the relevant data;
   
   
2. use best efforts to obtain a waiver from the public authority if local laws prohibit the data importer from notifying the data exporter of (i) above;
   
   
3. report the requests regularly to the data exporter, keep records, preserve all documents and challenge such requests from local authorities where there are reasonable grounds to do so. Again, the data importer must document its legal assessment of government access requests, and make this available to the data exporter and/or competent supervisory authority upon request.

One of the effects of updating the clauses to reflect GDPR, are the enhanced transparency requirements on the data importer, particularly in controller to controller transfers, which must inform data subjects of its identity and contact details, the categories of personal data processed, and provide details of any onward transfer. The EU SCCs signed between the data exporter and importer should be made available on request to data subjects as well, although confidential information (for example, detailed technical measures that the parties may prefer not to divulge), can be redacted. The obligation can be discharged via the data exporter if the parties agree to that, and the obligation falls away if providing the information proves impossible or would involve disproportionate effort for the importer. As with data collection notices, it would seem that a public notice on a website such as a privacy notice might be deemed sufficient to meet these obligations.

Unlike the existing SCCs, the parties may choose the law of the EU member state which is to govern the data transfer agreement, though in the case of C to P and P to P transfers the fall back is the law of the member state where the exporter is established. For P to C transfers, the parties may choose the law of a country which allows for third party beneficiary rights (in this case data subjects' rights). A similar pattern follows for choice of jurisdiction, though a data subject may also bring proceedings against either party in the courts of the Member State of their habitual residence.

Organisations which are exporting personal data to third countries in reliance on SCCs, and that are subject to the GDPR, will need an action plan to transition across to the new EU SCCs, to carry out the requisite transfer impact assessments, and to ensure ongoing compliance with the requirements of the EU SCCs.

Data exporters should:

• To the extent that they haven't already done this in light of Schrems II, put together a template, taking into consideration the requirements of Clause 14 of the EU SCCs and the EDPB (draft) guidance and establish a process for conducting transfer impact assessments, and then carry these out in conjunction with importing parties and see through any follow up action arising. Some importing parties (for example, IT service provider processors which deal with thousands of exporting customers) may already have processes in place to support this, and it is worth entering into a dialogue with them first to establish this. To this end, data transfers to third countries should be audited, categorised and prioritised depending on the nature of the arrangement and the counterparty, how important the data transfer is to a business, the destination countries that a business exports data to, and the type and amount of data which is being transferred. Different approaches to handling transfer impact assessments will also be required depending on the department within a business which a data transfer agreement will relate to: for example, those data transfer agreements in respect of IT support matters, most of which will be with an importing processor, will be handled in a very different way to say, a marketing or BD partnership between two controllers.
  
  
• To the extent that they haven't already, establish a process (and a way of documenting it) for conducting meaningful due diligence on importers to ascertain whether they can comply with their obligations under the EU SCCs – for example, via a due diligence questionnaire backed up with supporting documentation. Again, it is useful to enter into a dialogue, particularly with importers which are used to importing data, which may already have information documentation to hand to provide to the exporter.
  
  
• Assess which of their current data transfers will need to be transitioned across to the EU SCCs, bearing in mind the grace period which is in place until 27 December 2022; and put in place a process for carrying out such transition and updating existing contracts with the new SCCs.
  
  
• Identify those data transfers which are in the pipeline which will need to be completed on the basis of the EU SCCs (again bearing in mind that the existing SCCs can no longer be used on or after 27 September 2021, though if they are put in place before this date, then they too will take the benefit of the grace period to transition to the new EU SCCs).
  
  
• Ensure that data can be transmitted to the importer in a secure way.
  
  
• Update privacy policies to ensure compliance with transparency obligations under EU SCCs (or agree with the relevant data importer where the importer will do this).

Data importers:

Data importers face an increased compliance burden as a result of the GDPR-style requirements in the EU SCCs – as follows:

• Where a data importer is importing data as a controller, the requirements in respect of data subjects' rights and the ability to respond to requests and enquiries from data subjects (for example, responding to requests for access to data processed) may well require some adjustments to business practices and new processes to be put in place, including a process for complying with the obligations on data breach notification, and establishing a point of contact for complaints from data subjects to be received.
  
  
• Data importers should establish with their exporter counterparts, which party will meet the transparency obligations in the EU SCCs, and if it’s the importer, work out how best to do this.
  
  
• Data importers will need to have processes in place to ensure that the data is accurate and up to date, and only kept for as long as necessary.
  
  
• Importers will have to get used to accountability, and documenting everything, in particular, any steps taken in response to requests from public authorities, so as to be able to demonstrate compliance to exporters, data subjects and supervisory authorities alike, will be important.
  
  
• Processor importers in respect of which the risk profile for the data they handle from exporters is similar each time, may wish to consider putting together standard documentation which could help with completion and documentation of transfer impact assessments, and with completion of the Appendix to the EU SCCs.

Whilst the EU SCCs are a welcome update on the existing SCCs, in particular in the way they reflect the various transfer scenarios, it is the transfer impact assessment (together with the need to document it) required by Schrems II, the EDPB, and now enshrined in Clause 14 of the EU SCCs, which will continue to create the largest burden for many organisations. The ICO has confirmed that Schrems II, including that need for a transfer impact assessment, is now part of English law, but that it will provide as much help and guidance as possible for businesses to navigate it when it comes to data transfers under UK GDPR. We await with interest how it will address this, and whether it is able to help in any way to shift or reduce the burden away from businesses in having to assess the laws and practices of destination countries.