July 26, 2021

contracts data privacy GDPR privacy contracts consulting standard contract clauses personal data data processing solutioning

On June 4, 2021, the European Commission published new versions of its Standard Contract Clauses (SCCs) under the European Union’s (EU) General Data Protection Regulation (GDPR).

This highly anticipated development adds another task to an already growing workload for business leaders and privacy leads in companies doing business in the EU and those countries that have gained EU Adequacy status. The challenge is how – in a very short amount of time – they handle the painstaking task of identifying and repapering large volumes of contracts concerning the transfer of personal data to organizations based outside the EU and in countries where Adequacy has not been achieved. Many of these companies and their vendors are turning to technology-driven contract services for guidance and resources.

It has been estimated that 85% of companies transferring personal data from the EU to third countries use SCCs as their legal mechanism, with more than 90% of those companies using SCCs to transfer European personal data to the United States, often to their own corporate affiliates. SCCs have been a complicated but reliable means of exporting personal data from Europe for at least 20 years.

European data protection law (both GDPR and its predecessor, the Data Protection Directive) have long required that data exporters (e.g., a “data controller” based in Europe) and data importers [e.g., “a data processor” (a supplier) located in the U.S., India, or China] have “adequate” data protection in place or find an exception in the law. This has left organizations with a few viable options, including SCCs, to effectuate European data transfers.

However, following the “Schrems II” ruling one year ago, serious doubt was cast on the continuing legality of the existing versions of the SCCs (long overdue for an overhaul). This prompted the European Commission to develop new versions of the SCCs, which came into effect on June 27, 2021. It has also led to additional guidance being adopted by the European Data Protection Board on supplementary measures that need to be put in place by companies when assessing third country data transfers.

The end of June signalled the start of a transitional period during which organizations are expected to implement the new SCCs by amending their existing data transfer agreements with applicable suppliers and partners to incorporate the new SCCs and/or by signing new SCCs with new suppliers and partners where transfers of European personal data are concerned.

While the new SCCs are not immediately in force, compliance with them will be required for new transfer agreements entered into from September 27, 2021. SCCs currently in effect must be replaced with the new SCCs by late December 2022. Understandably, this can be a daunting task for organizations that may have hundreds, if not thousands, of suppliers and partners, including their own corporate affiliates, who may need to control or process European personal data.

The new SCCs are still being analyzed, and European regulators have indicated that additional compliance guidance is forthcoming. In the meantime, key changes in the new SCCs can be briefly summarized as follows:

Four Possible Modules.  Organizations now have four possible modules from which to choose (as opposed to two, previously). Depending on which are applicable, they can now use one or multiple modules in a single contract: 1) Controller-Processor; 2) Controller-Controller; 3) Processor-Processor; and/or 4) Processor-Controller. Also, the SCCs can now stand alone without technically requiring a separate/additional Data Processing Agreement.

Onward Data Transfers.  SCCs can now be used by parties that are not established in the EU, e.g., the “Data Exporter” (normally the Controller) does not itself have to be established in the EU to use the clauses. However, the EU will now impose some added responsibilities on the data exporter and importer to ensure that onward transfers of personal data are compatible with GDPR.

“Docking Clause.”  Multiple data exporters can now be a party to the same SCCs and additional parties (exporters and importers) can be added over time. This may offer better flexibility for organizations to adapt their SCCs to changing business needs.

Transfer Impact Assessment (TIA).  The parties to the SCCs will need to assess the risks associated with transferring European personal data to a non-EU country taking into account the risk-based EDPB guidance. The TIAs should be documented and will need to be made available to relevant European supervisory authorities upon request.

From now until the end of the transition period (December 27, 2022), organizations large and small who control and/or process European Personal Data will marshal their legal, procurement, privacy, and other internal teams, along with their outside counsel and contract support suppliers, to come to grips with the challenges of the new SCCs.

In terms of actions, companies will likely have the following key actions (jobs to be done) stemming from these requirements:

• Assess the volume and scope of existing agreements that need to be amended with the new SCCs and determine which of those existing agreements require priority attention.
• Identify appropriate amendment mechanisms and design efficient and effective processes to amend existing agreements with the new SCCs.
• Develop go-forward strategies for new agreements, including how to manage transfer impact assessments and tracking of progress.
• Implement improved processes to negotiate new agreements efficiently and effectively and to apply the right data protection terms, including the new SCCs.

However, there will be no one-size-fits-all approach that will work.

Each company will need to assess its own situation. The best approach will vary depending on the existing state of readiness of your privacy program, the size of your team, the existing contract management processes you have in place, the risk profile of your business, and the data you handle.

Careful assessment and planning will support any business to approach this new task with a pragmatic, risk-focused, and smooth transition to the new SCCs.

*Footnote – The Brexit impact is never too far away, and so it is worth noting the situation differs slightly for transfers from the UK to third countries due to Brexit. All transfers from the UK to third countries will be done under the ‘old’ SCCs, but taking account of the principles in Schrems II. In effect, such transfers will be subject to a Transfer Impact Assessment (TIA) until the UK ICO publishes UK’s own SCCs.

For more information, contact us here.