Deadline to adopt EU Standard Contractual Clauses
Many organizations uses the European Union’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) to other countries. Some organizations have ongoing transfers that started before the new SCCs (available here and discussed here) became effective in June 2021. Generally, ongoing transfers can continue to be made under the old SCCs until the grace period expires on December 27, 2022. That’s the date upon which any new SCCs-based transfers must be done under the new version of the SCCs.
The new SCCs contain four “modules” to govern the following basic transfer scenarios:
Module |
Exporter |
Importer |
One |
Controller |
Controller |
Two |
Controller |
Processor |
Three |
Processor |
Processor |
Four |
Processor |
Controller |
Transitioning to the new SCCs requires more than just circulating a new form agreement to your counter-parties. Putting the new SCCs in place requires more work on the annexes compared to the old versions. The legal provisions of the new SCCs are far more detailed than the old SCCs. Reviewing the new SCCs and checking that your organization complies may take some time if your organization is not already fully GDPR–compliant. Also, determining which of the four modules of the SCCs applies to your transfer may not be straightforward. Once you select the appropriate module or modules, you should delete the irrelevant text. The EU Commission’s Q&A on the new SCCs may be helpful to understand how to implement the SCCs.
Transfer Risk Assessments
The heavy lifting in the new SCCs really centers on the transfer risk assessment required by Clause 14 of the SCCs. Clause 14 makes the transfer risk assessment that is required following the Schrems II decision (discussed here) an important contractual obligation. Failing to perform a transfer risk assessment is now no longer just a matter of ignoring EU case law (never a good idea, of course). Under the new SCCs, failing to conduct a transfer risk assessment could give rise to a breach of contract claim, exposure to third party claims by the affected data subjects, and very clear exposure to sanctions from the EU data protection authorities. Sanctions can include an order to stop the offending data transfer immediately.
So what is a transfer risk assessment? It’s a review of the laws and practices of the importing country that could result in the disclosure of the personal data to public authorities. The new SCCs require both parties to “warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.” The parties are expressly required to declare that they have considered the potential applicability of “the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards.” The parties to the new SCCs are also required to document their transfer risk assessment and make it available to the data protection authorities on request.
For US companies, that means delving into US national security laws and practices. If the data will be transferred (or further transferred) to other countries that lack an EU adequacy decision, then you will need to the same analysis of the laws and practices of those foreign countries. The European Data Protection Board’s guidance (discussed here and available in its final form here) illuminates how far you need to drill down on these questions.