Dr Emma Grech, Partner at City Legal, and Celine Abela, trainee at City Legal, provide an overview of the European Commission’s new Standard Contractual Clauses (the “SCCs”), which may be used by businesses for transfers of personal data to third countries. The authors explain how the new SCCs provide for stricter requirements aimed at safeguarding the personal data of data subjects within the parameters of the General Data Protection Regulation, noting that contractual parties have until 27 December 2022 to fully implement the new SCCs into their data transfer contracts, effectively discontinuing use of the old SCCs by that date. 

9 November 2022

What is an international transfer of Personal Data?

International trade is ever-increasing. Modern-day economic growth has been propelled by an increased reliance on data-driven technology. The processing of personal data belonging to individuals within the European Economic Area (the “EEA”)[1] is regulated by the General Data Protection Regulation (the “GDPR”).[2] This data privacy framework provides robust safeguards for the lawful processing of personal data. However, does the GDPR guarantee the same level of protection in the context of personal data being transferred to third countries?

The GDPR provisions under Chapter V were promulgated to harmonise personal data transfers to third countries across the EEA, as well as to up the ante in balancing the need for data transfers as a basis for trade between countries with the individual’s right to privacy.

For a data transfer to qualify as an international transfer, the Court of Justice of the EU – in its judgment of Bodil Lindquist[3] – identified three cumulative criteria:

1. A data controller or processor who intends to export data has to be subject to the GDPR for the processing activity;
2. The data exporter has to make available personal data to a data importer; and
3. The data importer is in a third country or is an international organisation.

The data exporter does not necessarily have to be in the EEA to be caught by the GDPR’s provisions vis-à-vis international transfers. The mere fact that the exporter offers goods or services to individuals in the EEA triggers the applicability of the GDPR to ensure the same level of protection afforded to personal data of individuals located within the EEA.

Transfers of personal data to a third country may take place where the European Commission has issued an ‘Adequacy Decision’ in accordance with Article 45 of the GDPR. In essence, this consists of a thorough assessment to determine the adequate level of data protection in the data importing third country. Whilst the European Commission has issued Adequacy Decisions in respect of some third countries,[4] most non-EEA countries still fall short of providing adequate protection to personal data transfers to the standards expected under the GDPR. However, to mitigate discouragement from cross-border transfers, the Commission has provided data exporters with several legislative tools in order to enable them to effect, in a safe manner, international personal data transfers. These tools include the notorious Standard Contractual Clauses, or the SCCs.  

What are Standard Contractual Clauses?

The European Commission has defined the SCCs as, ‘standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law.’[5] Allowing for a harmonised approach across the EEA and thus providing enhanced legal certainty, the SCCs are fairly simple to implement without the need to seek prior authorisation from a national data protection authority, as opposed to other compliance mechanisms, such as ad hoc data transfer contracts.

Prior to the European Court of Justice’s landmark judgment in Schrems II,[6] which in essence invalidated the Commission’s Implementing Decision (EU) 2016/1250 of the European Parliament and the Council on the adequacy of the EU-US data protection shield (or the ‘Privacy Shield’), a set of SCCs under the European Community’s 1995 Data Protection Directive were used and are still – to an extent – being used by data exporters for international personal data transfers. These contained commitments with respect to essential data protection principles, security obligations, third party beneficiary rights and submission to the jurisdiction of EEA data protection authorities and courts.

On 27 June 2021, however, the European Commission adopted the newly updated SCCs, which build upon – and refine – the principles enshrined in the old SCCs. Indeed, the rationale behind the newly updated SCCs finds its basis in the abovementioned Schrems II judgment.

It is to be noted that the new SCCs now cover all transfer scenarios in four ‘Modules’ as follows:

• Module 1 covers transfers from Data Controller to Data Controller;
• Module 2 covers transfers from Data Controller to Data Processor;
• Module 3 covers transfers from Data Processor to Data Processor; and
• Module 4 covers transfers from Data Processor to Data Controller.

Three annexes have been added, which shall be used by the contractual parties depending on the Modules relevant to the data transfer relationship. The first Annex provides for an optional docking clause allowing multiple parties to join a contract entered into between the original parties in the future, increasing flexibility in the data processing arrangement throughout the life cycle of the agreement in question. Annex 2 includes a list of technical and organisational measures, such as pseudonymisation, which the parties to the SCCs undertake to adopt in order to ensure an adequate level of protection of the data being transferred. Annex 3 provides for a list of sub-processors, where and as applicable.  

The onerous requirement of a transfer impact assessment has also been included in the new SCCs. This imposes the obligation on the data exporter to review the laws of the foreign jurisdiction to which it is transferring the personal data in order to gauge the impact of said transfer and resultant security implications as deriving therefrom. Such assessments must be conducted for each personal data processing activity. The European Data Protection Board (the “EDPB”) issued updated Recommendations No 01/2020[7] by way of guidance for the purposes of conducting such data transfer impact assessments.

Furthermore, the new SCCs incorporate the requirements of Article 28 of the GDPR regulating sub-processing in relation to Controller-Processor and Processor-Processor data transfers under Modules 2 and 3. Resorting to these Modules eliminates the requirement of entering into a separate data processing agreement with the sub-processor since these clauses guarantee adequate safeguards to data transfers.

Finally, new obligations have been imposed in case of access by public authorities to the data being transferred. In case of legally binding requests for the disclosure of the personal data transferred or direct access of such data by a public authority or court in the third country, the SCCs oblige the data importer to immediately notify the data exporter. In case of a legally binding request, notification shall also be sent to the data subject.

It is important to bear in mind that the general clauses found in the SCCs are applicable to every transfer scenario and the text should be adopted by the contractual parties verbatim, without any alterations. The only alterations necessary to the text are the selection of the Modules and, or specific options offered in the text, alterations to complete the text where necessary such as to indicate competent courts, authorities and time periods, and those required in order to fill in the applicable Annexes. The new SCCs may, however, be supplemented by additional clauses or else incorporated into a broader commercial contract provided that the contractual provisions do not contradict the SCCs or prejudice the rights of the data subject.

Using the New SCCs: Act Now!

All agreements for international transfers concluded after 27 September 2021 were and are to be based on the new SCCs. However, agreements entered into prior to this date, and hence based on the previous SCCs adopted under the 1995 Data Protection Directive, have been made subject to a transitory period – lasting until the 27 December 2022 – by when they are to undergo the necessary updates and achieve complete alignment with the new SCCs. Organisations that have not as yet begun remedying their existing contracts in order to ensure they meet the relevant deadline are advised to do so at their earliest.

From 27 December 2022 onwards, it shall no longer be possible to lawfully transfer personal data to third countries on the basis of the old SCCs; meaning that, naturally, the new SCCs must be implemented by all data exporters and importers should this legislative tool for international transfers be opted for by the parties.

 

For additional information and assistance on the applicable law regarding data protection, inclusive of any of your data transfer requirements, please contact us on:

Dr Emma Grech, Partner –

[email protected]

Celine Abela, Legal Trainee –

[email protected]

DISCLAIMER: The information contained in this document does not constitute legal advice or advice of any nature whatsoever. Although we have carried out research to ensure, as far as is possible, the accuracy and completeness of the information contained in this article, we assume no responsibility for errors or other inconsistencies herein.

 

 

 

 

 

 

 

[1] The EEA shall be taken to mean the 27 Member States of the European Union and Iceland, Norway and Liechtenstein.

[2] Regulation (EU) 2016/679.

[3] Case C-101/01 Bodil Lindquist [2003] ECLI:EU:C:2003:596.

[4] The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay. All Adequacy Decisions do not cover data transfers in the law enforcement sector, save for the United Kingdom.

[5] European Commission, ‘Questions and Answers for the two sets of Standard Contractual Clauses’, 25 May 2022.

[6] Case C-311/18 Schrems II [2020] ECLI:EU:C:2020:559.

[7] EDPB, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 18 June 2021.