Since the CJEU annulled the EU-US Privacy Shield in July 2020, the European Commission’s Standard Contractual Clauses have in practice formed the most relevant basis for cooperation with service providers and partners outside the EU. The Standard Contractual Clauses have now been fundamentally reformed and the new clauses must be implemented since 27 September 2021. We summarise the most important changes and the resulting need for action.
The GDPR protects personal data of EU citizens also outside the EU. Personal data may only be transferred to countries outside the European Union (so-called third-countries) if an adequate level of data protection comparable to the GDPR is guaranteed in these third-countries. For a number of countries, such as most recently the United Kingdom, the adequate level of data protection has been positively established by an adequacy decision of the Commission. For most countries, however, no such adequacy decision exists. This also applies to the USA since the CJEU declared the EU-US Privacy Shield, which has been in force since 2016, null and void in 2020 (judgment of 16.07.2020 – C311/18 – Schrems II). As an alternative, the focus shifted to the possibility of ensuring an adequate level of data protection on a contractual basis by executing the European Commission’s Standard Contractual Clauses.
These Standard Contractual Clauses have now been thoroughly revised by the European Commission and adopted in their latest edition on 4 June 2021 (Implementing Decision (EU) 2021/914). The new Standard Contractual Clauses are to be applied to all new agreements as of 27 September 2021. For legal relationships established by then, the old Standard Contractual Clauses will remain applicable for another 15 months. However, by 27 December 2022 at the latest, all data transfers to third-countries must be adopted to the new Standard Contractual Clauses or an alternative instrument to ensure an adequate level of data protection.
Modular construction principle for different constellations
To cover the different scenarios of international data transfers, the new Standard Contractual Clauses rely on a modular building block principle instead of the previous separate sets of documents for each scenario. On the one hand, this leads to increased flexibility, especially since data transfers between processors and (sub)processors and between processors and controllers are now also covered. On the other hand, the application of the Standard Contractual Clauses thus gains in complexity, especially since the principle remains that the clauses are only considered a suitable guarantee for ensuring an adequate level of data protection if they are used essentially unchanged.
Model order processing agreement included
In addition to guaranteeing an adequate level of data protection, the new Standard Contractual Clauses also explicitly serve to fulfil the obligations under Article 28 (3) and (4) of the GDPR to conclude a data processing agreement. They are thus at the same time a model data processing agreement. For this purpose, the European Commission also adopted separate model data processing clauses, which can be used in domestic processing scenarios (Implementing Decision (EU) 2021/915). Since the use of these clauses is not mandatory, it remains to be seen whether they will prevail in practice compared to the numerous freely available templates for data processing agreements.
New testing and documentation requirements for the implementation of Schrems II
The new Standard Contractual Clauses are in parts obviously designed as a response to the risks identified by the CJEU in Schrems II in the context of third-country transfers, in particular regarding excessive access to personal data by public authorities. However, they do not solve the practical problems arising for implementing companies. For example, the CJEU explicitly requires implementers of the Standard Contractual Clauses to assess the legal provisions applicable in the recipient’s country to see whether the statutory framework even allows the data recipient to comply with the provisions of the Standard Contractual Clauses. If, as in the USA, the legal regulations permit access by public authorities that the CJEU considers incompatible with European standards, the parties must take additional organisational and technical measures to effectively counter these risks.
The new Standard Contractual Clauses manifest this obligation by requiring the contracting parties to conduct a prior impact assessment, the outcome of which must be documented. As a result, both parties must explicitly confirm that there are no concerns about the ability to comply with European data protection standards. The clauses also contain obligations for the data recipient to notify the sending entity about requests from public authorities and to exhaust legal remedies where such remedies are prohibited.
Outlook and recommendation for action
The new Standard Contractual Clauses undoubtedly fit better into the regulatory system of the GDPR and offer practical advantages, such as an increased flexibility and the implementation of the CJEU’s requirements from Schrems II. The mandatory transfer impact assessment on the first view appears to be an intensification of the legal obligations, but ultimately merely implements the situation that applies since Schrem II. Furthermore, the explicit implementation of this requirement in the Standard Contractual Clauses could increase the practical willingness of third-country service providers to participate in a transfer impact assessment as well as the remediation of identified risks through technical and organisational measures.
If no real alternative to the conclusion of the Standard Contractual Clauses is established at the political level, which currently is not foreseeable, there is no way of avoiding the new Standard Contractual Clauses for a cooperation with service providers in third-countries, such as the USA. The current relevance of the topic is also shown by recent measures of the German data protection authorities, which in July 2021 sent questionnaires to companies throughout Germany in a coordinated focus audit regarding the handling of third-country transfers in accordance with Schrems II. Corresponding audits are to be expected in particular in connection with the changeover deadlines for the use of the new Standard Contractual Clauses on 27 December 2022.
Against this background, all EU-based companies should be prepared, whereby the following measures seem advisable for a practicable implementation of the legal requirements:
- Conducting an internal screening for processes that involve the transfer of data to third-countries, such as the USA (e.g., in the context of website tracking, software tools, etc.).
- Evaluating the possibility of suitable alternative providers based within the European Union.
- Preparing different sets of the Standard Contractual Clauses according to own needs.
- Preparing a standardised impact assessment process for third-country transfers and a catalogue of appropriate, technical and organisational measures to reduce identified risks.
- Ongoing documentation and review of the measures taken, as evidence for submission to the data protection supervisory authority in case of an audit.
If you have any questions about the new Standard Contractual Clauses or about third-country transfers in general, please do not hesitate to contact us.