First thoughts on the new SCCs for international transfers of personal data

Controllers and processors may continue using the prior SCCs:

a.      Until 27 September 2021, for new international transfers (i.e., transfers initiated after the Implementing Decision comes into force).

After this date, companies are required to put in place the new SCCs or other transfer safeguard according to the GDPR in order to legitimize their international transfers.

Companies may encounter certain difficulties implementing the new SCCs in such short period, as the new SCCs are very much different and complex in comparison with the previous ones. In particular, carrying out the risk based assessment approach provided by the SCCs (see more details below) could generate delays depending also on the country where they envisaged transferring the personal data.

b.     Until 27 December 2022 (i.e., 18 months after the Implementing Decision comes into force), for the performance of contracts concluded between controllers and processors before the repealing of the prior SCCs.

This is applicable as long as the processing operations that are the subject matter of the contract remain unchanged and the reliance on the prior SCCs would ensure that the transfer is subject to appropriate safeguards within the meaning of the GDPR.

In case processing operations change, companies are required to put in place the new SCCs or other transfer safeguard according to the GDPR in order to legitimize their international transfers.

While the Implementing Decision does not provide a specific list with the changes that would trigger this obligation, Recital 24 of the Implementing Decision expressly mentions that such obligation would exist in case of sub-contracting to a (sub-) processor of processing operations covered by the contract.

a.      C2C transfers, from a controller to another controller (Module One)

b.     C2P transfers, from a controller to a processor (Module Two)

c.      P2P transfers, from a processor to another processor Module Three)

d.     P2C transfers, from a processor to controller (Module Four).

This means that companies should select the module applicable to their situation to keep only the relevant obligations according to their role and responsibilities in relation to the data processing in question.

The specific clauses related to the selected module will supplement the general clauses that are applicable for all four modules mentioned above.

While this particular aspect does not come as a surprise if we consider the draft SCCs presented in November 2020 by the Commission that reflected the same modular design, this approach is new and much better in comparison with the prior SCCs that were applicable only for C2P and P2C.

For sure, data exporters and data importers acting as both controllers, as well as data exporters acting as processors and data importers acting as sub-processors would very much welcome these changes that close the circle as to all roles the companies may act in respect to a data processing.

The SCCs also set out the rights and obligations of controllers and processors according to Article 28 of the GDPR as regards the C2P transfer or the P2P transfer. This is also a welcomed change since by now companies transferring personal data in third country would need to conclude both the prior SCCs and a data processing agreement / other contract reflecting the mandatory clauses under Article 28 of the GDPR.

This is another very welcomed change brought by the new SCCs, since the prior ones could be used only by data exporters that were established in the EEA, thus leaving without a possible practical solution non-EEA data exporter who would need to transfer personal data to another non-EEA data importer.

This means that insofar the non-EEA data importer falls within the GDPR territorial scope, the new SCCs may not be used to legitimize the data transfer to it.

The Implementing Decision does not explain the reasoning behind this solution, nor those provide instructions as to whether the said data importer should implement the supplementary safeguards according to the Schrems II judgement. One may interpret such safeguards need to be implemented by default according to the general GDPR requirements to which the respective data importer is subject to.

However, companies should undertake an in depth analysis on this particular aspect considering the practical implications of it.  The monitoring of potential further clarifications of the European Data Protection Board on this matter is advisable.

Moreover, additional companies acting as controllers or processors are allowed to accede to the new SCCs as data exporters or data importers throughout the lifecycle of the contract of which the new SCCs would form a part.

In this respect, the docking clause (i.e., Clause 7 of the new SCCs) provides that an entity that is not a party to the SCCs may, with the agreement of the existing parties, accede to the SCCs at any time, either as a data exporter or as a data importer.

The Implementing Decision and the new SCCs are silent on how the existing parties should provide their agreement for the new party to accede to the SCCs, which may lead to different interpretation / practices across companies.

Indeed, there is a hole section that seem to focus specifically on the Schrems II requirements (i.e., Section III), reflecting a risk based assessment approach.

This means that the parties to the new SCCs have to warrant that they have no reason to believe that the laws and practices in the third country, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the new SCCs.

In providing the warranty, the parties to the new SCCs have to declare that they have taken due account of several elements, including on the laws and practices of the third country of destination and those requirements regarding disclosing personal data to public authorities or to authorizing access by such authorities.

While the provisions detailed above are quite general, without practical insights, there is a footnote in the new SCCs (i.e., No. 12) that seem to bring more light on the matter.

According to the said footnote, as regards the impact of such laws and practices on compliance with the new SCCs, the elements the companies may consider may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. It goes without saying that this guidance may prove to be very helpful for companies when carrying out the risk based assessment.

Parties to the new SCCs would have to document the risk based assessment they made and provide it to the competent supervisory authority, on request.

Additionally, the new SCCs provides obligations incumbent to the data importer to notify the data exporter and, where possible, the data subject promptly in case:

a.      it receives a legally binding request from a public authority, including judicial authorities, for the disclosure of the personal data transferred or if

b.     it becomes aware of any direct access by public authorities to the personal data transferred.

In cases where the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the new SCCs provide the data importer must agree to use its best efforts to obtain a waiver of the prohibition.

As expected, these are probably the provisions the companies would struggle the most to comply with if we take into consideration at least the expertise and the multiple resources the companies need to ensure for compliance with these provisions.  The reasons may continue.