New Standard Contractual Clauses for Transfer of Personal Data to Countries outside of the EU/EEA

Background

Standard contractual clauses (“SCCs”) adopted by the European Commission are broadly relied on to legitimise the transfer of personal data to countries outside of the EU/EEA (“third countries”). The purpose of these SCCs is to ensure appropriate data protection safeguards for international data transfers.

The Commission has recently adopted new SCCs replacing the current ones, which in turn were based on the repealed Data Protection Directive 95/46.

Main changes

The adoption of new SCCs is made on the basis of the new requirements introduced by the General Data Protection Regulation (“GDPR”). Whereas the current SCCs are based on Directive 95/46, the updated clauses are consistent with the obligations of the GDPR.

The new SCCs are more flexible in that additional categories of data importers and exporters are included. Further to controller-to-controller and controller-to-processor transfers, the new SCCs can be used for transfers from processors to processors, and from a processor to a controller. They set out a combination of general clauses, which apply to all transfer scenarios, and a modular approach which caters for the different specific scenarios. The exporters and importers can select the module which applies to their situation to tailor the SCCs to their roles and responsibilities. The new SCCs also include a docking clause which allows for more complex data processing chains involving multiple parties.

In relation to recent developments in European case law, the new SCCs include certain changes that specifically address effects of local laws and practices on the data importer’s compliance with the SCCs. However, the new SCCs will not be sufficient to comply with the GDPR if the laws and practices of the third country of destination prevent the data importer from complying with the clauses, e.g., if the local laws include a requirement to disclose personal data or otherwise grant access to data for public authorities.

Local laws in the destination country affecting compliance

Transfer of personal data under the SCCs should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses, e.g., if the local laws include a requirement to disclose personal data, or otherwise grant access to data for public authorities. This applies both under the current and the new SCCs.

Under the new SCCs, the parties warrant that they have no reason to believe that the laws and practices applicable to the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs. When extending such warranties, the parties must take due account to certain elements, in particular the specific circumstances of the transfer, the relevant laws and practices of the third country, and any supplementary safeguards put in place. Supplementary safeguards could be contractual, technical, or organisational, applying to the transfer of personal data and its processing in the third country. Additionally, the data importer must warrant that it has used its best efforts to supply the data exporter with information relevant for the above assessment and the parties shall document the assessment.

Furthermore, the new SCCs address how to deal with requests from public authorities in the destination country for disclosure of the transferred personal data. Where possible, the data exporter and the data subject should be informed about such requests. Similarly, the exporter and the data subject should be informed if the importer becomes aware of any direct access by public authorities to personal data. The importer should document any request for disclosure received and the response provided. Where possible, the importer should also challenge and appeal such requests.

From when do the changes apply?

The decision implementing the new SCCs will be effective from 27 June 2021, and the new SCCs can be used from that date.  Agreements can be entered into on the basis of the current SCCs until 27 September 2021; after that date no new agreements may be entered into based on the current SCCs. However, data importers and exporters can still rely on the current SCCs for the performance of contracts that were entered into before 27 September 2021, as long as no material changes to the contracts occur, and they ensure that the transfer is subject to appropriate safeguards. Data exporters and data importers have until 22 December 2022 to replace all existing contracts which are using the current SCCs with the new SCCs. Thus, companies currently relying on the SCCs for international data transfers, should plan on making the necessary adjustments.

Magnusson comments

At Magnusson the data protection team provides advice on legal and regulatory aspects of privacy and data protection at both a local and international level. We work alongside our Intellectual Property and Technology experts to guarantee that our clients receive comprehensive, state-of-the-art support.

The team has led numerous GDPR-implementation projects and regularly advises on cross-border matters and personal data breaches.

If you want to know more about the new SCC or how they affect you, do not hesitate to contact Helena Rönqvist