The European Commission published the new Standard Contractual Clauses on data transfers that have relevant implications and new substantial obligations.
What changes with the new Standard Contractual Clauses?
The new SCCs are complex and documents, but the main changes can be summarized as follows:
- New scenarios covered: The Standard Contractual Clauses address data transfers processor-to-processor and processor-to-controller, in addition to the already regulated data transfers controller-to-controller and controller-to-processor, also for data exporters not established in the EU but to which the GDPR is applicable and for onward transfers. Indeed, the SCCs place control over the whole supply chain, including non-EU B2B subprocessors that shall abide by the new terms 🔝
- A single data processing agreement open to new joiners: There are 4 model clauses consolidated in a single document to be selected according to the applicable scenarios (even though the SCCs remain not negotiable), incorporating the data processing agreement as per article 28 of the GDPR and with the so-called “docking clause” allowing new controllers and processors to join SCCs during their life cycle 🔝
- Substantial obligations on data exporters: The data exporter must guarantee the suitability of the importer to meet the obligations of the clauses through technical and organizational measures. There is a reference to the performance of audits but no express mention of other measures (e.g., checklists) to verify compliance that are likely to be implemented, leaving room for more flexibility ⚠️
- Broad liability clauses for data importers: Each party (data importer/exporter) shall refund damages caused to the other party and data subjects with no liability cap. Besides, the SCCs will prevail over contrasting additional contractual obligations ⚠️
- Schrems II obligations on both parties: The SCCs do not by-pass the need of a transfer impact assessment according to the Schrems II case, but actually require to document it with reference also to the assessment of the laws of the third country, the technical, contractual and organizational measures adopted to minimize risks and the peculiarities of the transfer involved, with an obligation on the data importer to inform the data exporter of any change impacting the data transfer assessment 🆘
- A detailed list of measures: The explanatory note to the SCCs emphasizes the need to nail down in detail (rather by reference to general categories) the technical, organizational, and contractual measures adopted, which will require a substantial amount of work 🆘
What shall be done with new SCCs on data transfers?
To plan the next steps, businesses shall consider:
- Time is short: The new Standard Contractual Clauses will be effective 3 months after a 21-day-period following the publication on the Official Gazette (the “Repeal Date“). During the 3 month period, businesses can enter either the old or the new SCCs, but a switch to the new SCCs shall occur within 15 months from the Repeal Date ⏰
- It is not a copy/paste exercise: The New SCCs adopt a modular approach which means there are some decision points to make and adopt additional / more onerous flow down obligations to sub-processors, which mean adopting the new SCCs is likely to require more effort than simply swapping out / in the old and new clauses 🎯
- You need to have an action plan: Businesses shall review which contracts are impacted and find the most efficient manner to comply, e.g., categorizing the potential scenarios and arranging filled-in templates to tackle them. Besides, the new SCCs incorporate the data processing agreement and prevail over contrasting contractual provisions. And therefore, it shall be necessary to review how the terms of existing DPAs are impacted 🗒
- Transfer impact assessments can no longer be postponed: After the “panic” following the Schrems II decision, some businesses were hoping the SCCs would have “sorted” the issue, requiring just a paper exercise in replacing the SCCs. But Article 14 of the standard contractual clauses expressly requires a deep transfer impact assessment which shall also cover the review of the laws of the data importing country. Tools and methodologies like DLA Piper’s Transfer legal tech tool are now a must-have since they automate the assessment of the foreign law, of the measures adopted, and of the likelihood of risk for individuals in an efficient manner 🤖
My view on the new SCCs
The new Standard Contractual Clauses on data transfers definitely take a conservative approach consistent with the EDPB draft recommendations on data transfers that will be the next milestone on the topic. The European Commission clearly took a stance in favor of data controllers, whose negotiations with non-EU processors will be eased, also because the data processing agreement is now incorporated in the SCCs.
There is no doubt that a substantial load of work now landed on the desk of DPOs and privacy counsels of companies. 15 months look like a long period of time, but they might be too short for large corporations.
On a similar topic, you may find interesting the article “Do you have a data transfer methodology based on the Schrems II decision?“.
Image courtesy KamiPhuc