New EU standard contractual clauses - what's new? New EU standard contractual clauses - what's new?

On June 4, 2021, the European Commission adopted new standard contractual clauses (SCC) for the transfer of personal data in countries without equivalent data protection clauses taking into consideration the feedback received during the public consultation and the EDPB - EDPS Joint Opinion. Anyone concerned will have 18 months to introduce this new contract template, including the documentation of adequate measures.

These highly anticipated, updated SCCs are intended to ensure lawful transfers of personal data to third countries (non-EU/EEA). An adjustment of the clauses had become necessary due to the entry into force of the GDPR and the Schrems II ruling of the European Court of Justice passed last July.

The new contractual clauses are supposed to better implement the regulatory requirements and the issues raised by the ECJ in its judgment. In the following, we highlight some of the amendments that were made and explain what this could mean for businesses.

• Modular Approach (different modules – building blocks):
  Previously SCCs could only be applied to data transfers between data controllers and data processors. The new SCCs are modular and applicable to a larger number of contracts than before, including contracts at the subcontractor level. This allows the clauses that apply to all cases to be retained, while the flexible modules are selected depending on the relationship between the parties. This approach provides greater flexibility by covering the following data transfer scenarios:
  • Module 1: Controller to Controller transfer
  • Module 2: Controller to Processor transfer
  • Module 3: Processor to Processor transfer
  • Module 4: Processor to Controller transfer

• Adaption to the GDPR: the wording is more closely aligned to the provisions of the GDPR.
• Third Party Beneficiaries Protection: according to Sec. 1 Clause 3, additional third parties are included in the protective effect of certain SCC clauses (e.g. customers of companies)
• Docking clause: according to Sec. 1 clause 7, other entities may join a contract entered into under the SCC as data importer or exporter to the contract
• Replacement of Data Processing Agreements (DPA): the new SCCs now also comply with the requirements for a Data Processing Agreement. This means that if a contract is concluded on the basis of the SCCs, then the conclusion of an additional DPA is no longer required (except in Module 4).
• Taking into account of the CJEU Schrems-II ruling: Sec. III, clauses 14 and 15 contain specific safeguards, which as a result create far more elaborate obligations on the involved parties (increased level of due diligence).  
• Risk-based approach: under clause 14/15 one could argue that a risk-based approach seems to be possible (TIA – Transfer Impact Assessment) but according to EDPB recommendations "objective factors" (regardless of likelihood of occurrence) are decisive
  
  • "Schrems III" already looming on the horizon? noyb, a data protection activist group, already stated in their comments  (December 2020):  "nothing […] indicates that a transfer may take place when it presents a low risk, or that it would require a so-called transfer impact assessment […]. […] noyb will closely monitor the developments regarding this point and take appropriate legal steps should the Commission adopt such an approach and controllers actually rely on this approach."
     
• SCCs take precedence: standard contractual clauses not only take precedence but also supersede, for example, contradictory contractual or GTC clauses (Section I Clause 5).
• Liability provision - Clause 12 in Sec II contains modular liability clauses and (together with the provision on the precedence of the SCC), basically stipulating that the liability of the contracting parties is not limited e.g. by external liability exclusions in GTCs.

• There is a 3-month grace period after the official publication (yet to come) during which the "old" SCCs may still be used - after that, only the new SCCs apply.
  
• The old SCCs will have to be "amended" into new SCCs over the next 15 months.

The new SCCs have been adapted to the more complex data transfers that take place in the modern world. However, the contract is much more than just a document to be signed. Special focus will be on the documentation of the special security measures to be adopted when transferring data into countries where governmental seizure of the data is a topic, like the USA. The new clauses unfortunately are not the "holy grail" businesses were hoping for. The due diligence effort still required by the concerned parties should not be underestimated. 

Companies should now check what personal data they transfer to third countries on the basis of ("old") standard contractual clauses and assess what changes need to be made to replace the old clauses with the new SCCs.

Then it will be a matter of converting the new contract modules into templates that are suitable for everyday business (including the Transfer Impact Assessment). All in all, the effort for handling 3rd country transfers and documentation will remain high. The new SCCs are more than just ticking the box and simply concluding new SCCs alone will NOT be sufficient to comply with the Schrems II requirements. As mentioned above, the documentation of the security measures will play an important role.

These terms will not only be applicable for anyone processing personal data originating from the European Union. Since Switzerland adopted these terms in the past as equivalent, anyone processing "just" Swiss data abroad will also be impacted.