On June 4, 2021, the European Commission released two new set of contractual clauses :
- A set of clauses for personal data transfers from Controller to Processor within the Union as required under article 28 GDPR (C to P clauses) (here)
- An updated set of the Standard Contractual Clauses for international transfers (here)
Although the C to P clauses were not necessarily awaited since most organisations had to update their GDPR clauses three years ago, it is still useful to have a standard template to check what the expected level of compliance is.
On the contrary, the new set of Standard Contractual Clauses (SCCs) was eagerly awaited as the former SCCs were difficult to use in a complex environment and, more importantly, were not in line with the GDPR requirements and with the standards set by the European Court of Justice following the Shrems II decision requiring that an assessment of the legislation of the recipient country was carried out before transferring the data. (see here for more details).
Although the new set of SCCs allows for more flexibility, it still leaves to the organisations transferring personal data outside the EU the burden to assess whether or not the legislation of the third country recipient could potentially contradict the content of the clauses and the GDPR.
This article will focus on the main novelties of the new set of SCCs that you can find here.
Date of enforceability of the new set of SCCs and the 3 month period given to the organisations to update the former SCCs currently in use
The EC released the new set of SCC on June 4, 2021. However, to be enforceable it must be published in the Official Journal, which has not yet happened.
The decision will enter into force twenty days following its publication and the former SCCs will be automtically repealed three months following the entry into force of the decision.
In practice, it means that all organisations relying on the former set of SCCs should take the necessary action to update their international data transfer contract within 3 months and 20 days from the publication of the decision in the Official Journal of the EU.
Scope of the SCCs
This new set of SCC provides for modules/optional clauses so that it can be used for data transfers between the following type of parties:
- Controller to Controller (C to C)
- Controller to Processor (C to P)
- Processor to Processor (P to P)
- Processor to Controller (P to C)
The last two options are the innovations provided by this new set of SCCs.
Furthermore, the European Commission set out in its decision that SCCs are necessary only to the extent that the processing by the data importer, whether it is a controller or a processor, does not fall within the scope of the GDPR.
Therefore, if the data importer is located outside of the EU but is subject to the GDPR as part of the processing operations it is supposed to carry out, the SCCs should not be necessary as the GDPR is directly applicable.
This position requires clarifications from the European Commission as it could be misleading. (In our opinion, it should be construed as the SCCs are not necessary only to the extent the importer has appointed a Representative in the EU as part of its GDPR obligations for this type of processing activities. Indeed, this is a guarantee that GDPR applies directly to the third party and that data subjects’ rights may be enforced).
Besides, and for the avoidance of doubt, the P to C clauses are only useful between the Importer Controller not subject to the GDPR and its own processor subject to the GDPR (as opposed to the processor transferring the data to the Importer Controller on instruction of another controller).
In practice and especially in the case of intra-group agreement, it would be recommended creating a set of clause for each situation so that it would make the reading and the understanding of the SCCs easier.
Content and use
The content of the SCCs is not very different from the former set of SCCs in the sense that it requires similar types of information in the annex (purposes and nature of processing operations, categories of data etc.) and provides for third party beneficiary clauses (i.e. rights of data subjects in case of breach) etc.
However, they provide for more flexibility insofar as they now expressly allow for their use in a multiparties agreement. It does not mean such a use was forbidden before but it was not clear how we could draw up/fill in the SCCs when more than two parties was involved and it created legal uncertainties.
Indeed, it is now possible to use an annex per type of transfer and multiple parties can adhere to it.
It is also possible for a new parties to enter into the SCCs at a later stage provided the other parties agreed to it.
Assessment of the legislation of the recipient third country
The legislation or any contract between the parties should not contradict in any ways the content of the SCCs or have the effect to prevent its application. This is not a new requirement but it is now emphasized by the recent ECJ ruling (Schrems II).
As a result, if the legislation of the third country where the recipient is located were to prevent the latter from complying with the SCCs, it should, in principle, stop receiving the personal data and notify the Exporter.
Besides, the ECJ ruled in the Schrems II decision that in order to send data to a third country on the basis of the (former) SCCs, the controller should make an assessment of the local legislation and, where it is found that it does not respect the essence of the fundamental rights en freedoms or exceed what is necessary and proportionate in a social and democratic society to safeguard the objectives laid down in article 23 (1) GDPR (i.e. national security etc.), it should implement additional measures. If despite the implementation of these additional measures, it is still not safe to send the data, the transfer should be deemed illegal.
The new set of SCCs, instead of helping the controller to make this assessment, put an obligation on the latter to carry out this assessment taking into consideration:
- the specificity of the transfer (duration, type of data etc.) ;
- the laws and practices of the third country of destination ;
- any relevant contractual, technical safeguard
It also requires that the controller be able to demonstrate it carried out this assessment on request of the competent authority.
This set of clauses, although in line with the ECJ ruling, is not very helpful and leave a massive burden on the shoulder of the controller.
Indeed, given that the European Commission failed twice to carry out the correct assessment with regard to the US, it seems out of reach for most organisations to be able to carry out such assessment and leave a lot of legal uncertainties.
However, it may rely on the EDPB guidelines to carry out this assessment and find the correct measures (see here).
Except for transfer from Processor to Controller, the applicable law should be the one of a Member States which allows for third-party beneficiary rights.
In the former case, it may be a law of any country to the extent it allows for third party beneficiary rights.
As a result, before choosing the applicable law, it must be ensured that the law of the country chosen allow third party such as data subjects to enforce the rights stemming from a contract to which they are not a party.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.