Dentons Privacy Community met on 7 and 28 July 2021 to discuss how to implement the new Standard Contractual Clauses approved by the European Commission. As we return from our summer breaks and head into the busy autumn period, we share some of the key takeaways from these two Community events to help you get ready for using the new SCCs by the 27 September 2021 deadline:
- Key points
The new SCCs became applicable from 27 June 2021. They must be used for new transfers from 27 September 2021. The transition period for replacing the old SCCs expires on 27 December 2022.
The new SCCs take a modular approach to the types of transfer (controller-controller, controller-processor, processor-processor and processor-controller). They have a docking clause allowing multi-party contracting. Transfers to processors no longer require a separate data processing agreement. The new SCCs impose increased reporting and documentation obligations on importers.
SCCs can be used by exporters outside the EU. They must be passed down the chain of onward transfers. The data importer will be subject to the jurisdiction of EU supervisory authorities.
The UK has not adopted the new SCCs. The old SCCs remain approved while the UK plans to introduce its own replacements next year.
If the export is from the UK only, use the old SCCs and wait.
Nevertheless, it seems unlikely that the UK Information Commissioner would take enforcement action against the use of the new SCCs, given their higher level of protection conferred on privacy. An open question is the impact on onward transfers under the old SCCs by a UK importer which received EU data on the basis of the EU’s adequacy finding for the UK.
[Stop press: On 11 August, the ICO launched a public consultation on draft UK SCCs, use of the EU SCCs, and a DTIA tool. The consultation closes on 7 October. At the same time, the UK is discussing data transfer co-operation with its 10 priority trading partners: Australia, Brazil, Columbia, the Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and the US.]
3. Intra-group agreements
Pre-new SCCs intra-group agreements approach the requirements when implementing new SCCs and may use the same modular structure.
The group must map the data flows between the various group members to the applicable modules. (Contrast the approach under Binding Corporate Rules to which each group member signs up and which must be approved by the regulator.)
Supplementary measures, following EDPB guidance, will need to be stated and adopted across all importers or the differences documented.
The modules require a more detailed description of the transfer than under old rules.
The new SCCs can be integrated into a broader agreement as long as they are not varied. The broader agreement can accommodate exports from non-EU countries.
4. External vendors
For businesses with complex supply chains, consider first assessing the estate, and identifying major exports and principal risks. This aligns with Schrems II concerns and is more practical than starting with a legal analysis.
Note that the political regime and stability are now fundamental components of the risk assessment (although this is burdensome on private businesses).
5. Drafting tips
Start with the annexes, which describe the processing, then choose which measures to apply.
Differentiate between core immutable measures and “side areas” to be applied flexibly.
It can take the EU years to assess a country with a view to providing an adequacy decision. Therefore, putting the onus on the exporter to make such decisions, who would then pass this decision-making on to an importer or processor (if the controller is also the exporter) seems excessive.
There is no definitive answer as to whether you can limit liability vis-à-vis your contracting party under the SCCs. The European Commission seems to take the position that you cannot. However, as this is a commercial arrangement between the parties, there is nothing in privacy laws that would prohibit this, provided the data subjects’ rights are not reduced. In specific situations, there may be competition law aspects to it (e.g. abuse of market power).
6. Exports to the US
The focus of US rules is not the location of the data but the means and tools that allow access.
Use of a US-based electronic communications service provider does not always cause a GDPR compliance concern. Each exporter and importer must analyse the application of the law to the transfer in question – usually this would satisfy obligations under Schrems II.
Importers should take a sophisticated approach to communicating these steps to customers, and to adopting policies and procedures to respond to government requests for access. Many cloud providers do so.
The majority of US companies will in practice never receive access requests from governments – consequently, they could accept that they will challenge a request without too many consequences.
The SCCs grant third party beneficiary rights. (Irish law was changed specifically to allow these.) Data subjects might bring claims against exporters or importers, although the more likely target is the exporter.
The exporter is also more accessible to the regulator. In principle, the regulator could order the exporter to suspend the data transfers, although for most businesses this should not be a practical risk (assuming they take and document proportionate compliance measures).
It is not unknown for the regulator to enforce against entities established outside the EU. (The Dutch supervisory authority recently fined such a company.)
The most likely targets of activists are “big tech”, but also companies which generally ignore the reporting requirements.
Specifically for importers in Canada, there is also a cross-border report which must be considered for every form of cross-border data transfer.
Class actions are inevitable. Another reason to document compliance measures. Data subjects may become a regulator’s best friend in this regard.
8. Operationalising your SCCs after implementation
Data importers have the obligation to respond to access requests.
Data importers have the direct obligation to notify data breaches to:
- supervisory authorities in the EU;
- the data exporter; and
- data subjects (if the data breach results in a high risk to the data subjects).
Data exporters and data importers must be ready to share a copy of the SCCs (including appendices/annexes) upon request from the data subjects.
All this means that exporters and importers alike should have adequate procedures in place.