The new standard contract clauses: what you need to know right now

Screenshot of title of new clauses

The European Commission has published a new set of standard contract clauses. They're also in the Official Journal, as of 7 June 2021.

If you are subject to the GDPR and you are involved — whether as the person receiving/accessing personal data, or the personal sending/giving access to personal data — in international transfers of personal data, you need to be on top of this.

Quick background

If you are subject to the GDPR and you transfer personal data, or make personal data available internationally — that is to say, outside the EEA — you can only do so under limited circumstances. This is to ensure a level of protection which is essentially equivalent to the protection afforded by the GDPR.

One of those limited circumstances is if you enter into European Commission approved standard contract clauses (possibly in addition to a broader commercial contractual arrangement) with the party outside the EEA.

Standard contract clauses have been around for years, but they have become (and perhaps always were) a bit of a creaky mechanism, with some significant gaps.

Now, there is a new set of standard contract clauses, which will imminently replace the existing clauses.

If you rely on SCCs, you need to act quickly, but not rashly

The new set of clauses enters into force on 27 June 2021.1

Three months after that — 27 September 2021 — the existing clauses are repealed.

However, for contracts entered into before 27 September 2021, you can still use the old clauses for a further 15 months (i.e. until until 27 December 2022), provided that:

the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.

This means that, if you rely on the current standard contract clauses, you've got at least three months to take stock and work out what you are going to do. You may have an additional 15 months' leeway, but that depends on the facts.

You cannot use these standard contract clauses if the importer is outside the EEA but still subject to the GDPR

Recital 7 to the Commission's decision says:

The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.

An importer (or, indeed, anyone) can fall within the scope of the GDPR without being established in the EU. (Here's some further reading on that.)

In that situation, it seems that the parties cannot use the standard contract clauses.

Why that is the case is unclear. It could be based on an interpretation that, if both parties are subject to the GDPR, there is no "international transfer" even if, in practice, there is an international transfer.

Hopefully there will be more information available about that but, for now, it's something to bear in mind before rushing into these clauses.

What about the UK GDPR?

One would hope that the UK government will regard these new clauses as a suitable mechanism for satisfying the requirements of adequacy under the UK GDPR.

I don't think there has been any official announcement yet, but I'll update this part of the post if/when one comes.

What about transfers from organisations subject to the GDPR to the UK?

Currently, there is no need for them, as the UK has a temporary finding of adequacy.

If that decision continues, there will continue to be no need for them.

If, however, the UK is no longer deemed adequate, then organisations subject to the GDPR seeking to export data to the UK (assuming that the UK organisation's processing is not also subject to the GDPR) will need to put these clauses in place with the UK importer, or find another basis of adequacy.

So, if you are a UK-based importer, you might expect to see quite a lot of these new clauses, depending on what happens with adequacy.

What the new clauses do well

They cover more situations

The new standard contract clauses cover a broader range of relationships than the previous sets.

In particular, they provide a mechanism to cover processor-to-processor exports, filling a gaping hole in the previous sets of clauses. Excellent!

They are modular

They are modular, with specific clauses which apply only in specific situations.

While the official PDF of the standard contract clauses will be a pig to work with, I'm sure it will not be long before someone (hopefully a regulator, but possibly me if I find the time) creates a standard contract clauses generator tool, which puts in the right clauses depending on the scenario.

It's easier to add new parties

The new standard contract clauses make it easy for other parties to sign up to the standard contract clauses, with the "docking" language.

They appear to be Article 28 compliant for controller-processor transfers

I have yet to do an exhaustive check but, as I read through, it looked as if the controller-processor module would result in an agreement which not only covered the international transfers element, but also creates a processing agreement which is compliant with Article 28 GDPR.

This is welcome, in that one agreement could cover both requirements.

(Recital 10 to the decision underpinning a parallel set of clauses released by the Commission seems to support the perspective that the clauses we are discussing here also comprise a valid processing agreement.)

What the new clauses do less well

These things might be great from a data protection point of view — I'm thinking here in terms of practicality and ease of use.

Increased complexity

The modular nature of the clauses is a double-edged sword and, in particular in conjunction with the increase in the number of fields which the parties need to complete, the standard contract clauses are more complicated than before.

This may help ensure a high level of protection, but it makes it increasingly less likely that someone without a robust legal understanding will be able to navigate and implement them effectively. In other words, a higher burden which is likely to adversely impact less well-funded organisations.

This might be mitigated if someone builds an online "clause generator" too but, right now, the complexity may have an inhibitory effect. (Obviously, if you're looking for a lawyer to help you...)

Added transparency obligations could be burdensome operationally

The new transparency requirements (clauses 8.2 or 8.3, depending on the module in question) require the provision to data subjects on request of the specific copy of the clauses and the completed appendices.

This is consistent with the ethos of Articles 13 and 14 GDPR, but it's something which both exporters and importers will need to consider.

Will they publish all their standard contract clauses and appendices, so that everyone can see them? Or just keep a pile of them ready for their customer services team to hand out on demand?

For organisations carrying out a lot of international transfers on the bases of these clauses, there could be a lot to publish.

The new clauses still demand per-transfer security considerations

One of the major impacts of the CJEU's decision in Schrems II was the notion that just signing a contract was not enough.

Instead, the parties need to think about the specifics of the transfer, and the risks posed to the protection of personal data, and put appropriate additional controls in place.

This requirement is now baked into the new standard contract clauses, with Annex II reserved for this.

The explanatory note to Annex II is clear that this needs to be a specific list of measures:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Again, probably not a bad thing from a protection of data point of view, but, as with the overall issue of increased complexity, it will continue to make life harder for less well resourced exporters and importers.

In addition to Annex II, the obligations in clause 14, in terms of assessing:

the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards

are likely to be burdensome for less well resourced organisations.

What about "transfers back" from a processor in the EU to a controller outside the EU?

One of the long-standing topics of debate in terms of international transfers is whether there is an international transfer, which demands compliance with the GDPR, if a controller outside the EU transfers personal data to a processor in the EU, which then transfers the data back to the controller.

From my point of view, the language of "transfer" suggests that it would be caught.

From a common sense point of view, that conclusion seems absurd: if someone in (say) the USA gives their data to a company in the USA, and the company in the USA happens to make use of a processor in the EU, why would data subjects in the USA expect additional data protection rights just because of the processing in the EU.

Module 4 of the clauses attempts — I think — to cover this situation, since it deals with "transfer processor to controller".

To my mind, this means that the Commission's view is that that activity is a transfer within the scope of the GDPR, and now can be handled by these new clauses, by invoking module 4.

However, it seems that some of the module 4 clauses only apply to a subset of those transfers. Clauses 14 and 15 say that module 4 applies:

where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

I think that this is a caveat / limitation applied specifically to those two clauses, and is not an interpretation aid to module 4 generally, simply because the qualification language only appears in specific places.

What next?

If this issue affects you:

  • read the new clauses (or get someone to talk you through them).
    • understand the risks and liabilities you face, and new obligations.
    • for example, work out how you are going to meet the additional transparency requirements.
  • assess what transfers you carry out on the basis of existing standard contract clauses, so you can work out what, if anything, you need to do about them.
    • identify which of the existing relationships might entail a change to the processing in the next few months, to plan how to move to the new clauses.
    • determine if any of the relationships fall within the seeming exclusion of transfers to an importer subject to the GDPR.
  • identify any proposed imminent international transfers (but seemingly not those to importers subject to the GDPR).
    • decide if you want to rush through under the current clauses or wait for the new clauses to take effect.
  • if you are based outside the EU, consider pulling together an analysis of applicable local laws, to help meet your obligations under clauses 14 and 14.
  • see if you can prepare a generic set of security requirements, as a baseline for incorporating specific relevant sections into Appendix II for each transfer.

  1. Thanks to Jon for tipping me off about publication in the Official Journal. ↩︎