THIS BLOG POST IS NOT LEGAL ADVICE. The implementation of the 2021 EU SCCs requires careful assessment of the circumstances of each transfer at stake and therefore, these recommendations cannot be considered alone nor as legal advice.  We recommend seeking professional legal advice from competent privacy counsel on how to implement the new 2021 EU SCCs. To request legal assistance with your compliance program, please contact VeraSafe today.

On June 4, 2021, the EU European’s Commission released the long-awaited 2021 EU Standard Contractual Clauses (the new SCCs) for cross-border transfers of personal data under the EU General Data Protection Regulation (GDPR). As of September 27, 2021, any new contract relying on the EU Standard Contractual Clauses (SCCs) to transfer personal data to third countries needs to incorporate the new SCCs. However, this is not an easy task: the lack of familiarity with the long  text of the SCCs, the SCCs’ interaction with the  supplementary measures recommended by the European Data Protection Board (EDPB), the absence of official guidance on how to implement the SCCs, and the level of detail these clauses require may lead to many drafting and negotiation issues. 

VeraSafe has helped numerous organizations (pharmaceutical companies, telecommunication providers, and SaaS providers, to name but a few) implement the new SCCs. Read on to learn the insights and tips from five of our privacy attorneys and legal consultants.

But, First… What Are the SCCs? 

The SCCs are one of the available mechanisms to transfer personal data from the European Economic Area¹ (EEA) to third countries. SCCs are also the most widely used type of transfer tool². Simply put, the SCCs are pre-approved standard sets of contractual terms and conditions which the sender and the receiver of the personal data both agree to. These model clauses seek to ensure that the GDPR protection of personal data travels with the personal data when it leaves the EEA. 

The new SCCs have been adopted, in part, to (i) facilitate the transfer of personal data after the Court of Justice of the European Union’s (CJEU) seismic judgment Schrems II, which struck down the EU-U.S. Privacy Shield Framework as a valid mechanism to transfer data from the EEA to the U.S.; and (ii) account for the requirements of the GDPR.

How Much Time Do Organizations Have to Switch to the New SCCs?

As of September 27, 2021, the new 2021 EU SCCs must be used for transfers of personal data in all new contracts.  For existing contracts relying on the “old” 2004 and 2010 SCCs, organizations have until December 27, 2022 to switch to the 2021 EU SCCs. 

Notably, between September 27, 2021 and December 27, 2022, entities transferring personal data must switch to the 2021 EU SCCs if there are “relevant changes to the contract” or to the processing operations that are the subject matter of the contract. For example, an EU-based controller that concluded the 2010 SCCs with a U.S. hosting provider in 2017 can continue using the 2010 SCCs (provided that adequate supplementary measures are in place) until December 27, 2022. However, if in February 2022, the parties decide to expand the scope of the processing services (for example, they agree that the U.S. hosting provider will now also perform analytics services on the transferred personal data), the EU company must ensure that the new 2021 EU SCCs are used for both the hosting services and the analytics services.

From a Risk Perspective, Is a DPA with the “Old” SCCs Better Than No DPA and No SCCs?

Many organizations are still analyzing the impact of the latest European Data Protection Board’s (EDPB) guidance on supplementary measures after the Schrems II judgment and the requirements of the new SCCs and have missed the September 27, 2021 deadline to implement the 2021 EU SCCs into their standard Data Processing Agreement (DPA). While this course is not desirable, VeraSafe strongly recommends that both controllers and processors enter into a DPA with at least the “old” SCCs (provided that an addendum with adequate supplementary measures is included) until the parties are in a position to implement the 2021 EU SCCs. Our recommendation is due to the following three reasons:

1. The absence of a DPA and SCCs constitutes GDPR infringement. As Articles 28 and 46 GDPR establish clear obligations to enter into a DPA and to provide appropriate safeguards to personal data transferred to third countries and international organizations, the absence thereof constitutes infringements of the GDPR. Importantly, the EDPB has clearly stated that both controllers and processors are responsible for ensuring a DPA is in place³.
2. The “old” SCCs still offer a reasonable level of protection, as long as they are supplemented with other measures recommended by the EDPB.
3. You really need to have a DPA. Aside from the legal and contractual requirements to have a DPA, DPAs are useful in that they protect both parties’ interests. If you are a controller, a DPA will protect you from legal issues if a processor mishandles the data you entrusted it with (for example, if the processor starts processing personal data for its own purposes or in the event of a personal data breach). If you are a processor, you’ll want to have your rights, obligations, and instructions set out in a contract.

Suppose your counterparty is not in a position to sign the 2021 EU SCCs in the next few months. In that case, we recommend executing a short amendment to your DPA that imposes on the parties the obligation to cooperate in good faith to implement the 2021 EU SCCs by a certain date, and that applies the “old” SCCs until then.

What Are the Modules?

The new SCCs combine general clauses that apply in every case with a modular approach to match various transfer scenarios depending on the relationships between the parties and their roles (controller or processor). Organizations can choose among four modules the one which is applicable to their situation:

1. Module 1: Transfer from controller to controller abroad (for example, a controller in France shares personal data with a controller in Brazil)
2. Module 2: Transfer from controller to processor abroad (for example,  a controller in Germany shares personal data with a processor in Chile) 
3. Module 3: Transfer from processor to processor abroad (for example, a processor in Italy shares personal data with a sub-processor in China)
4. Module 4: Transfer from processor to controller abroad (for example,  a processor in Spain shares data with its controller in the United States of America)

This combined approach provides significantly more coverage and flexibility than the “old” SCCs, which were only designed to address controller-to-controller and controller-to-processor transfers.

What Is the Difference Between Controller-to-Processor (Module 2) and Processor-to-Controller (Module 4)?

Module 2 (Controller-to-Processor) represents the more traditional scenario in which a controller transfers data to its data processor outside the EEA. For example, where a controller established in an EU country  needs  to transfer personal data to a  US-based vendor. 

Module 4 (Processor-to-Controller) fills a gap in the previous versions of the SCCs. This module allows processors in the EEA to transfer personal data to the controller located outside the EEA on whose behalf the processors process personal data. For instance, where an EU-based vendor needs to transfer personal data to the controller of that data, who is based in Russia.

Do Organizations Need to Sign a Separate Set of SCCs for Each Module and Type of Transfer?

Organizations are not required to sign a separate set of SCCs for each module and transfer, nor with each third party they share data with, nor each time they need to transfer personal data with another party to the SCCs

The SCCs can include the text of all applicable modules and include the details of all transfers under Appendix A to the SCCs. However, it must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the parties as data exporter(s) and/or data importer(s). The SCCs explicitly state that this does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, when this transparency can be achieved through one appendix. However, when necessary to ensure sufficient clarity, separate appendices should be used.

Furthermore, including clause 7 (Docking clause) in the SCCs enables parties to add further parties to the SCCs after they have been executed. This is a time and resource-saving measure that is especially useful in situations with complex structures and many parties involved, such as within corporate groups or multi-party collaborations.

These additions to the SCCs allow organizations to include multiple parties and transfer types to their applicable agreements, and even add future parties to these existing agreements through updates to the appendix and annexes provided in the 2021 EU SCCs.

Is There a Preference for Choice of Law and Jurisdiction in the New SCCs?

The EU 2021 SCCs allow parties to freely choose any EU Member State for their choice of governing law (Clause 17) and choice of forum and jurisdiction (Clause 18). Moreover, in the case of utilizing module 4 (Processor-to-Controller), even the laws of non-EU countries can be selected. The only requirement is that the laws of the chosen country (EU Member State or otherwise) must allow for third-party beneficiary rights (which is to say that third parties to a contract can benefit from the contract because they are in fact the intended beneficiary of the contract). 

Parties also need to agree on which EU Member State’s courts will be used to resolve any disputes arising from the Standard Contractual Clauses. Again, in the case of module 4, a dispute can be resolved by the courts of any jurisdiction (in the EU or otherwise). The election of a particular jurisdiction will not have an impact on a data subject’s right to bring legal proceedings in the EU Member State where the data subject has its habitual residence.

In instances where parties do not have any particular preference, VeraSafe suggests selecting the Republic of Ireland as the choice of governing law and choice of forum and jurisdiction.

How To Avoid Adding the Long Text of the SCCs into DPAs?

Many companies have decided to incorporate the SCCs by reference into their DPAs, instead of attaching the long text of the SCCs to their agreements and signing it. To “incorporate by reference”, the text of the DPA will mention the EU 2021 SCCs and state that the Parties are deemed to have accepted and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).

When doing so, companies must ensure that the applicable module(s) of the 2021 EU SCCs and the choices the SCCs require (such as the choice for governing law) are specified in the DPA. Clauses 7, 9, 11, 17 and 18 of the new SCCs require some choices by the parties which need to be reflected in an appendix or in the body of the DPA. Importantly, each module presents a different set of options to the parties. For example, module 4 is the simplest module and requires less customization. 

Furthermore, the parties need to ensure that the information required by the annexes to the SCCs is included in the DPA. One way to do this is adding appendices to the DPA that specify the categories of personal data to be processed and transferred, retention periods, purposes of processing, technical and organizational measures etc.

Do I Have to Do Anything Else If I Sign the New SCCs? Do the New SCCs Make the Schrems II Decision Irrelevant?

Even if you sign the new SCCs, the GDPR still requires supplementing data transfers to third countries with technical and organizational measures to address the requirements set forth in the CJEU’s Schrems II decision. The description of these supplementary measures must be precise and specific and cannot be provided in general terms. It is recommended that the parties carefully consider the EDPB’s final recommendations on supplementary measures when concluding the 2021 EU SCCs.

The EU 2021 SCCs also require that the parties assess and document the data transfer risks, and make this documentation available to supervisory authorities upon request. To further address the Schrems II judgment, the 2021 EU SCCs impose extensive obligations on the data importer in relation to disclosure requests from public authorities. These obligations include:

1. Using best efforts to obtain a waiver of any prohibition on notifying the data exporter of the disclosure request;
2. Providing regular information on requests to the data exporter;
3. Assessing the legality of the disclosure request; and
4. Minimizing the extent of the disclosure. 

How to Implement the Recommended Supplementary Measures?

While the new SCCs reflect many of the contractual supplementary measures that the EDPB recommended on June 18, 2021, signing the SCCs alone is not enough. The EEA data protection authorities consider that, provided the nature of contractual measures (which are generally not capable of binding the authorities of a third country when those public authorities are not party to the contract), contractual measures may often need to be combined with other technical and organizational measures to provide the level of data protection that the EU law requires. Consequently, VeraSafe recommends reinforcing the contract with other types of measures such as implementing state-of-the-art encryption (both at rest and in transit), strong key-management policies (if possible, the keys should be in the sole control of the data exporter), and reviewing any law enforcement request procedures and transparency reports the data importers may have issued. 

Once the parties are certain that these measures are in place, the parties should document them and reflect them in a contract. These are commonly included in an appendix to the DPA.

Can I Use the New SCCs to Transfer Personal Data from the UK to Other Countries?

Not yet. The good news is that companies might be able to use the 2021 EU SCCs in the future for other jurisdictions without too much paperwork. On August 11, 2021, the UK Information Commissioner’s Office (ICO) launched a consultation paper on “International transfers under UK GDPR” and one of the documents released along with the paper was a draft UK Addendum to the European Commission’s new Standard Contractual Clauses. 

There is no guidance accompanying the draft UK Addendum to the 2021 EU SCCs; however, it appears intended to be entered into by parties that have concluded the 2021 EU SCCs, thereby reducing the need for parties to enter into both the new EU SCCs and the (still in draft form) UK SCCs. If adopted, this would be a welcome development for exporters with activities in the EU and the UK.

Naturally, nobody wants to go through the annoying process of modifying the contracts now and having to modify the contract again to include the UK Addendum, if approved. To avoid this situation, we recommend addressing this scenario now. Proactively revise your contracts to incorporate by reference any future UK-approved addendum to make the new EU SCCs applicable to international transfers subject to UK data protection law as of the approval day. The contract should also state that the applicable “old” EU SCCs govern such transfers until that date.

Can I Use the New SCCs to Transfer Personal Data from Switzerland to Other Countries?

Yes, you can, and you should. On August 27, 2021 the Swiss Federal Data Protection and Information Commissioner (FDPIC) recognized the new 2021 EU SCCs for international transfers to non-whitelisted countries (list available only in French) subject to Swiss data protection law. To use the 2021 EU SCCs, organizations must 1) implement supplementary measures, and 2) make some adjustments to the SCCs to make them applicable to transfers subject to Swiss law.

Switching to the 2021 EU SCCs will also release organizations from notification obligations and enhanced scrutiny from the Swiss FDPIC. While data exporters relying on the “old” SCCs (which can continue to be used until December 31, 2022) still have to notify the FDPIC in advance of their use of the SCCs and submit them to the authority for examination, data exporters using the 2021 EU SCCs only have to generally inform the FDPIC that they’re using the 2021 EU SCCs, without submitting a copy to the authority.