New Standard Contractual Clauses adopted: What do I need to do now?

On 4 June, the European Commission adopted a new version of the Standard Contractual Clauses. The adaptation of the “SCCs” had already been on the agenda since the start of the applicability of the GDPR back in 2018, and it has become particularly relevant for businesses that transfer data to non-EU countries (“third countries”) following the judgment of the European Court of Justice in the “Schrems II” case. In this client update, we want to give you an overview of the relevance of SCCs in general, the innovations that have now been introduced, as well as current discussions and developments.

When do I need Standard Contractual Clauses?

As a reminder, the GDPR imposes specific requirements for international data transfers. Whenever data is transferred from the EU to a “data importer” in a non-EU country, the lawfulness of this transfer depends on two questions (also called the “two-step model”): 

  • At the “first step”, because the transfer qualifies as a data processing activity, it always requires a legal basis under art. 6 GDPR (frequently consent or “performance of a contract”) or a data processing agreement under art. 28 GDPR. (This point is often overlooked in the case of third-country transfers if one only looks at the “second step”).
  • At the “second step”, the data transfer to a third country must meet the requirements of chapter 5 of the GDPR. The idea here is that the level of data protection must not fall below EU standards as a result of the transfer to the third country. To ensure this, the GDPR provides three mechanisms: First, a general adequacy decision of the EU Commission may exist for the data importer country, second, “appropriate safeguards” pursuant to art. 46 GDPR (which include the Standard Contractual Clauses) may be implemented, or third, an exemption under art. 49 GDPR may apply.

What is the significance of the new Standard Contractual Clauses in the context of the “Schrems II” decision?

In the decision of the European Court of Justice in the “Schrems II” case, the “Privacy Shield” agreement – which had been widely used until then for data transfers to the United States at the “second step” – was declared invalid. Businesses that had previously relied on this mechanism to secure their cooperation with service providers in the United States had to find another solution and, in the vast majority of cases, switched to the Standard Contractual Clauses.

However, an important section of the “Schrems II” ruling is often overlooked: Although the European Court of Justice confirmed the validity of the Standard Contractual Clauses in principle, it also stated that transfers to third countries cannot simply be upheld in this way. Rather, the SCCs can only be used if the data exporter and the data importer in the third country also factually guarantee (and document) that the regulations of the SCCs can also be complied with. With regard to the United States, the ECJ made it clear that this is not easily possible due to government surveillance. For the necessary “additional measures to ensure a sufficient level of data protection”, the data protection supervisory authority of Baden-Württemberg published proposals for amending the Standard Contractual Clauses (“SCC Plus”) and the implementation of the mandatory risk assessment (“Transfer Impact Assessment”, TIA). On 18 June, the European Data Protection Board published the final version of its guidance on this topic.

In this context, a few other questions also remained: How can the SCCs be used for so-called “processor-to-processor” relationships? Which “additional measures” are sufficient? The newly published revised Standard Contractual Clauses are the EU Commission’s attempt to answer these open questions.

When do I need to switch to the new Standard Contractual Clauses?

The new Standard Contractual Clauses were adopted on 4 June. From 27 September 2021, the old SCCs may no longer be used for new agreements; for “old cases”, businesses now have 18 months to incorporate the new Standard Contractual Clauses into existing agreements.
What’s new about the 2021 Standard Contractual Clauses?

The new Standard Contractual Clauses have a modular structure and can thus cover more different data protection relationships compared to the old SCCs, i.e. data transfers between data controllers and/or processors. Whereas previously only clauses for “Controller-to-Controller” and “Controller-to-Processor” data transfers were available, these have now been expanded to include the options “Processor-to-Processor” and “Processor-to-Controller”.
This means that the following modules are now available within a single document:

1.  Controller-to-Controller
2.  Controller-to-Processor
3.  Processor-to-Processor
4.  Processor-to-Controller

If modules 2 and 3 are completed correctly, you no longer need a separate data processing agreement (DPA) according to art. 28(3) GDPR – you can now complete the first and second “steps” in one document. Only module 4 does not offer this possibility. Since filling out the clauses can be quite complicated, we are currently working on a step-by-step guide for businesses.

In addition to the modular structure of the new document, clauses 14 and 15 contain two additional significant changes:

Clause 14 implements one of the requirements of the “Schrems II” judgment: It requires data exporting businesses to assess the risk (for data subjects) created by the data transfer in the context of a “Transfer Impact Assessment” for each data transfer. This assessment must be documented internally and submitted to the supervisory authority upon request. We hope that standards will evolve for frequently used providers to keep the bureaucracy reasonyble. As unpleasant as the effort associated with this step may be: Only recently, the Bavarian data protection authority prohibited a business from using the “Mailchimp” email service because no risk assessment had been prepared.

Clause 15 contains a new obligation for the data importer that also implements the “Schrems II” ruling: In the event of a request by foreign authorities concerning the transferred data, both the data exporter and all data subjects must be informed.

Other innovations include extended rights of data subjects vis-à-vis the data importer, and the option for further parties to join an existing SCC agreement.

What do I need to do now?

Depending on the extent to which you transfer data to non-EU countries, switching to the new Standard Contractual Clauses is more or less time-consuming. In particular, mapping the affected data flows within your business, documenting the risk assessments and agreeing on the new SCCs with your partners and service providers can take some time. Please note in particular that in addition to your relationships with large providers such as Amazon or Google, your “core business” with your own customers may also be affected, e.g. if you act as a processor and transfer data to third countries.
We recommend to carry out the following steps:

1.  Map international data flows
Check your business for data streams to third countries and the GDPR roles of the parties involved (controller and/or processor). If possible, use your register of processing activities – and use this opportunity to update it. If you have any question, please contact your ePrivacy consultant.
For corporate groups: Please remember to not only map third-country transfers to external parties, but also internal data flows.

2.  Conclude the new SCCs
Conclude the new Standard Contractual Clauses with any business based in a non-EU country to which you transfer data. (We are currently developing a guide for completing the module.) In the case of large US providers, this will most probably happen “automatically” within the next few months through updates of the terms and conditions of the affected service providers.
At this point, we must point out one essential problem that still exists: Whether and to what extent the new Standard Contractual Clauses must also be supplemented by additional contractual and technical measures (“SCC Plus”) remains an open question.

3.  Carry out transfer impact assessments
Clause 14 of the SCCs, following the requirement of the ECJ’s “Schrems II” ruling, requires that a risk assessment be conducted and documented for each international data transfer. The time required by this step should be given special consideration when planning the implementation process in your business.

Which questions remain open?

One long-awaited change is that the new Standard Contractual Clauses now include an option for “processor-to-processor” relationships. The elimination of the requirement of a separate data processing agreement also reduces the effort associated with international data transfers.

However, one very important point remains unanswered: We cannot say whether or not the new Standard Contractual Clauses resolve the problem of data access by government authorities in countries such as the United States created by the “Schrems II” judgment. It remains unclear which technical and organisational measures are suitable to ensure an “adequate level of data protection”, and which cases require an amendment to the SCCs (“SCC Plus”). Furthermore, there are no practical instructions for the correct implementation of the required transfer impact assessment.

On another highly technical issue, namely the exact scope of the new Standard Contractual Clauses for processors according to recital 7, the European Commission intends to follow up in the coming weeks.

In summary, implementing the new Standard Contractual Clauses means a considerable amount of work for businesses in the EU and IT service providers abroad. The existing legal uncertainty regarding international data transfers has by no means been eliminated. According to EU Justice Commissioner Didier Reynders, the EU and the new US administration have started to negotiate a new bilateral agreement for data transfers to the United States. Whether this new framework or even the new Standard Contractual Clauses can be used to “safely” transfer data to the United States remains currently completely unclear.

We will keep you informed about these developments – until then, feel free to contact us if you have any questions…
Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte
Diana Hutter, ePrivacy GmbH

Your Contact to ePrivacy: