19 October 2022
The CJEU ruling in Schrems II (Rechtssache C-311/1) not only brought an end to the EU-US Privacy Shield, but also was the impetus for the European Commission to take on the task of issuing new standard contractual clauses ("SCCs 2021") – more than two years after the GDPR came into force.
Since June 2021, the old standard contractual clauses can no longer be used for new or modified data transfers from the EU to a third country. For existing data transfers, the European Commission had granted the parties a transitional period; this ends on 27 December 2022. As of this date, only the SCCs 2021 can be used to secure third country transfers (unless other justification mechanisms under the GDPR apply).
If not already done, data exporters should do the following:
Unlike the previous standard contractual clauses, the SCCs 2021 follow a modular approach. This means that four different transfer scenarios are covered in one document:
The EU Commission expects from the parties to assemble individual contracts from the bundle depending on which module is applicable to their particular situation. If you want to save yourself this effort, you can use the Taylor Wessing SCC Generator.
Alternatively, it seems reasonable to include the SCCs 2021 “by reference” in a main contract. This approach gives the advantage that the entire (very long) contract does not have to be embedded in the main contract, but the standard contract clauses can simply be “referred to”. It should be noted, however, that even in this case it must be made clear which module the parties want to conclude. Furthermore, a decision must be made regarding all optional clauses as well as the placeholders (see below). Thus, it is necessary that, in addition to the actual reference to the SCCs 2021, the required information must be provided, for example in the form of an annex to the main contract.
Clause 7 (Docking clause), clause 9 (Use of sub-processors) and clause 11 (Redress) of the SCCs 2021 contain optional clauses. Furthermore, one of the questions regularly emerging addresses the issue whether a liability clause can/should be included:
Unlike before, the SCCs 2021 allow the parties to choose the applicable law (clause 17) and the place of jurisdiction (clause 18) themselves. In regard to these possibilities, the following options exist:
As far as we know, all EU member states now grant corresponding third-party beneficiary rights in the area of data protection, so, that in fact any EU law can be chosen for module 1.
The choice of applicable law and jurisdiction is particularly relevant for cases where the main contract is not governed by EU law/courts and, thereby, creating a divergence between the main contract and SCCs 2021.
As before, the details on the data transfer (information on the parties, details on the transfer, information on TOMs and sub-processors), that shall be secured with the SCCs, needs to be included in the annexes to the clauses. However, unlike the old SCCs, the Commission's expectation of the level of detail has increased significantly. An example of what is expected can be found in question 39 of the Q&A on the SCCs 2022 published by the EU Commission.
The core element of the new SCCs is the so-called TIA. The contractual obligation arises directly from clause 14 lit. b and d of the SCCs 2021 and, in this regard, mirrors the corresponding obligation from the GDPR and not least the Schrems II decision.
The TIA requires the parties to make an assessment of whether the applicable laws and practices in the third country of the data importer (in particular with regard to data access by intelligence services) prevent the data importer from fulfilling its obligations under the SCCs 2021. It is therefore necessary to assess the national legislation in the recipient country.
Strictly speaking, the data exporter would have to initiate a detailed evaluation - for example, with the help of a local lawyer. However, in practice, it seems more common that the data exporter requests the importer for respective information on the national law and relies on the importer’s feedback. This approach does not seem unacceptable. However, in any case, the exporter cannot avoid at least a plausibility check.
When considering the approach, it should also be borne in mind that there is a certain probability that for most national laws the assessment will show that the local law does not provide for adequate safeguards. In this context, it should be taken into account that even national provisions of the EU Member States are subject to occasional concerns under data protection law, as recently shown by the CJEU's judgment on the German regulation on data retention (Case C-793/19, C-794/19 et al., “Vorratsdatenspeicherung”). It therefore seems advisable, especially regarding efficiency, to adopt a pragmatic approach which, in case of doubt, focuses less on the evaluation of the law and instead more on the identification of possible further safeguards.
Note: In early October this year, President Biden signed an Executive Order (EO) to improve data protections for data subjects in US intelligence activities. The EO is intended to clarify the issues raised by the CJEU in the Schrems II decision and to pave the way for a new EU-US data transfer agreement. The regulations came into force with immediate effect. A final EU assessment by the European Commission is expected by March 2023. Even prior to this date, however, the requirements set out in the EO could influence the outcome of a TIA in case of a data transfer to the USA and, thus, reduce the risk of corresponding transfers.
The EU Commission seems to lay the (main) responsibility (also contractually) primarily on the data exporter. The wording of clause 14 suggests that there is at least a duty of cooperation on the part of the data importer. This seems appropriate because the data exporter is dependent on the importer's assistance while executing the assessment.
Clause 14 is ambiguous with regard to the question of how far “along the chain” the TIA must be carried out, in particular whether sub-sub-processors must still need to be included as well. Although the data protection supervisory authorities seem to assume a rather comprehensive obligation, in practice a more pragmatic approach seems to prevail in many cases: Many data exporters include only the first stage (i.e. transfers of the data importer to subcontractors) in the assessment, and disregard any further transfers down the line.
For data transfers from an exporter in the EU to an importer in the EU, there is no obligation to conduct a TIA because there is no transfer to a third country. In such scenarios, however, the data importers usually use (sub)processors in a third country. If this transfer is secured with the SCCs (module 2 or 3), the EU importer and the (sub)processor are the addressees of clause 14 and, thus, responsible for the TIA, not the EU controller. The latter, however, arguably still has an obligation under Art. 28 GDPR to ensure that the TIA is carried out in a reasonable manner. One control measure could be to include a corresponding contractual obligation for the processor to carry out the TIA in the processing agreement.
For data transfers from Switzerland and the UK, the SCCs only apply directly to the extent that these transfers are subject to the GDPR. However, usually Swiss or UK data protection law also applies. The authorities in UK and Switzerland have therefore decided in each case that they will also recognize the SCCs for data transfers under the respective national law if the parties make certain adjustments.
There are deviations in the expiration of the transitional period:
But beware: of course, this only applies to transfers that fall exclusively under UK or Swiss data protection law. For data transfers that are (also) subject to the (EU) GDPR, the deadline remains 26 December 2022.
Particularly data exporters, who have to assess a large number of third-country transfers, will hardly be able to manage these “manually” within a reasonable time period, especially not within the next two months.
Support can be provided by the Taylor Wessing TIA Tool. It is a solution for the management, implementation and documentation of all TIAs. The TIA Tool simplifies and automates all relevant processes in connection with TIAs. If you have any questions, please do not hesitate to contact us.
by multiple authors