knowledge | 7 November 2022 |
The sun is setting on old Standard Contractual Clauses
As the end of the grace period fast approaches, organisations continuing to rely on the European Commission’s old standard contractual clauses to legitimise their transfers under the General Data Protection Regulation (“GDPR”) will need to focus on updating their transfer arrangements before the end of the year.
Standard contractual clauses (“SCCs”) are contract provisions expressly approved by the European Commission (the “Commission”), and designed to provide appropriate safeguards for the transfer of personal data to a third country (i.e. outside of the European Economic Area (“EEA”)). In the absence of an adequacy decision of the Commission, controllers and processors may rely on SCCs when transferring personal data internationally.
In July 2020, the Court of Justice of the European Union (the “CJEU”) upheld the validity, in principle, of the old standard contractual clauses that were adopted by the Commission in 2001 and 2010 under previous data protection legislation (the “old SCCs”) (reported here) as a basis for transferring personal data outside the EEA. With the benefit of the concept of SCCs having been upheld by the CJEU, the Commission proceeded to publish and adopt a long over-due new set of clauses in June 2021 that were specifically drafted to address the new requirements of the GDPR and to remedy some deficiencies in the old SCCs (the “new SCCs”) (reported here and here).
Since September 2021, the old SCCs are no longer valid for new data transfer arrangements, which now need to be based on the new SCCs. Parties who entered into agreements incorporating the old SCCs before 27 September 2021 are entitled to continue to rely on them until 27 December 2022. After this date, organisations who are relying on having SCCs in place to legitimise their transfers are required to use the new SCCs. Failure to replace the old SCCs with the new SCCs will amount to a breach of the GDPR and give rise to exposure to enforcement actions, including fines of up to €20 million or 4% of annual global turnover (whichever is higher) and/or compensation claims by individuals.
Q&A on the SCCs
To assist with the changeover, the Commission published a Q&A on the new SCCs to provide further guidance on their operation and incorporation into contracts. The Commission noted that 88% of respondents in a survey reported SCCs as their top method for extraterritorial data transfers, and that:
- In order for the SCCs to be effective, they must be signed by and binding on all parties;
- The SCCs should include the contact details of the parties and their respective roles;
- A general reference to the SCCs is not sufficient (i.e. by providing a link to the Commission’s website);
- The new SCCs are designed with four different scenarios in mind, and the parties are expected to choose the module that fits the relationship in question (i.e. controller to controller; controller to processor; processor to processor; or, processor to controller);
- While the main text of the SCCs cannot not be altered, the parties to the relevant agreement may supplement the provisions as long as the SCCs are not contradicted;
- The annexes must be completed and it should be clear to the parties, concerned data subjects, competent data protection authorities and courts which modules, options and specifications have been chosen. Only the relevant clauses should be agreed, and modules / options which are not relevant should be deleted; and,
- An optional “docking clause” is also provided for, which allows for additional parties to join the SCCs in the future. When this occurs, the annexes should be updated in tandem.
Steps to be taken
Less than two months remain until the old SCCs will cease to be valid. Consequently, data exporters should conduct a review of their ongoing data transfers to third countries and determine if any agreements incorporating the old SCCs need to be updated before 27 December 2022.
Also contributed by Lisa Leonard
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.