The new standard contractual clauses - What is new and when do they have to be implemented?

Date: 
Monday, 7 June 2021

Since the Schrems II decision in July 2020, there has been great legal uncertainty regarding data transfers to recipients in third countries outside the EEA, in particular to the USA. This uncertainty is also fueled by the numerous proceedings initiated by noyb. Therefore, the new Standard Contractual Clauses  which were already announced at the end of last year, were longingly awaited. They are supposed to ensure appropriate safeguards according to Art 46 GDPR, in order to permit transfers to such third countries. The wait is now over: the EU Commission published the final version of the standard contractual clauses (SCC) on Friday, June 4. Compared to the preliminary draft from November 2020, which we have summarized for you here, little has changed in terms of content. The modular structure, the long-overdue mapping with the GDPR (instead of relying on the Data Protection Directive) and extensions of the obligations of both parties lead to a higher level of protection compared to the previously widely used SCCs. Our DORDA data protection experts have compiled the most important changes to the final draft 2020 for you:

Hard facts - what has changed?

  • The transition periods have been adjusted in both directions:
  • The new SCCs do not apply immediately, but only 20 days after their formal publication in the Official Journal of the EU. The latter should take place "in the coming days".
  • The previously applicable SCCs may be used for another three months after publication in the Official Journal.
  • For existing contracts – ie, wherever the previously applicable SCCs were used - a transitional period of 15 months applies instead of the previously announced 12 months.
  • Furthermore, the obligations of the data importer in the case of data access by public authorities – which is crucial in the context of Schrems II – have been specified. For example, the obligation to fight against orders/decisions of public authorities also covers the filing of an appeal with the appellate court.
  • In addition, it was expressly stated - eg, in Recital 20 - that even the new SCCs do not provide sufficient appropriate safeguards in every case. Rather, an overall assessment is required in each individual case to determine whether additional clauses or measures may be necessary. For example, reliable information on the application of the legal provisions in the third country (case law, reports of independent supervisory bodies), the frequency of requests by authorities for disclosure of data within a sector or the documented experience of the contracting parties must be obtained.
  • It has been largely overlooked that, in addition to the SCCs, a European model of a contract processing agreement in accordance with Art. 28 GDPR has also been published. This can be used as a stand-alone agreement or may integrated into existing contracts. Since experience has shown that the company's own documents need to be updated on an ongoing basis anyway, this is a good opportunity to evaluate the need for adaptation and to compare it with the lessons learned over the past three years.

Conclusion

Even the conclusion of the new standard contractual clauses alone is no guarantee for a secure third country data transfer in the future. In this respect, the EU Commission has therefore followed the strict approach of the European Data Protection Board (EDPB). In practice, this means that risk assessment and case-by-case evaluation will continue to accompany us. In addition to any additional contractual assurances that may be required, the accompanying technical measures listed as examples in Annex II, such as encryption mechanisms, will be of central importance in securing legally compliant data transfer.

In any case, the new SCCs that have now been issued mean that there is an urgent need for action, and hopefully they will also put an end to the shock paralysis or waiting mode that has occurred in some cases among US providers. It is now clear what is necessary for a lawful data transfer and how the previous legal bases must be adapted. The transition period for existing agreements is, on the one hand, generous, but on the other hand, there is a very timely and urgent need for adjustments for new agreements.