New SCCs with wider application introduced by European Commission
Earlier this month on 4 June 2021, the European Commission issued two decisions containing new sets of Standard Contractual Clauses (SCCs) for the transfer of personal data pursuant to the General Data Protection Regulation (GDPR). With each of these decisions coming into force on 27 June, we take a look at some of the key aspects of the new clauses.
Commission Implementing Decision 2021/914 on standard contractual clauses for the transfer of personal data to third countries (Third Country SCCs), will replace the SCCs adopted under the (now repealed) Data Protection Directive (EU/95/46) (old SCCs) and, caters for a broader range of transfer scenarios. Commission Implementing Decision 2021/915 provides new standard contractual clauses (Intra EU SCCs) that can be used between controllers and processors to meet the requirements contained in Article 28(3) and (4) of the GDPR (and Article 29(3) and (4) of Regulation (EU) 2018/1725). Importantly, the Intra EU SCCs are enabling rather than mandatory, and controllers and processors may choose to negotiate their own contracts containing the compulsory terms referred to Article 28 of the GDPR.
Each set of SCCs may be entered into by more than two parties and each contains a mechanism for new parties to accede to the clauses, as data exporters or importers, throughout the lifecycle of the contract.
In recognition of the complexity of modern processing chains, the Third Country SCCs helpfully take a range of different data transfer scenarios into account. Data importers and exporters can build SCCs applicable to their situation by combining general clauses with one of four modules:
- Module one provides for a controller to controller (“C2C”) transfer where personal data are transferred from a controller within or outside the EU/European Economic Area (EEA) to a controller in a third country, i.e. outside the EEA, for example data transfers between customers and service providers where both entities are acting as controller.
- Module two provides for a controller to processor (“C2P”) where personal data are transferred from a controller within or outside the EU/EEA to a processor in a third country, for example the transfer of personal data from a customer acting as a controller within the EU/EEA, to a service provider acting as a processor in a third country.
- Module three provides for a processor to processor (“P2P”) transfer where personal data are transferred from a processor within or outside the EU/EEA to a (sub-) processor in a third country, for example service provider arrangements where data are transferred from a processor within the EU/EEA to a processor/sub-processor in a third country.
- Module four provides for a processor to controller (“P2C”) where personal data are transferred from a processor within or outside the EU/EEA to a controller in a third country, for example the provision of service by a service provider acting as a processor within the EU/EEA, to a controller in a third country.
Other Key Changes in the Third Country SCCs
Third-party beneficiary rights under Irish law: The Third Country SCCs are required to be governed by the law of an EU Member State that allows for third-party beneficiary rights. If Member State laws do not allow for third-party beneficiary rights, then the clauses must be governed by the law of another Member State that does allow for them. This requirement creates a difficulty for those wishing to rely on Irish law as the governing law of the clauses, as third-party beneficiary rights do not generally exist in Ireland. The principle of privity of contract prevails in the Irish courts.
However, to avoid the kinds of complications that this would present for Irish based exporters, the Irish Department of Justice has indicated that it will introduce a new Statutory Instrument to amend the Data Protection Act, 2018 to provide for third party rights and our understanding is that this legislation will be published very shortly.
Liability: Clause 12 provides that each party is liable to the other party (or parties) for any damages it causes them through any breach of the Third Country SCCs.
Warranty: Both the data exporter and the data importer must “warrant that they have no reason to believe” that the laws in the destination country would prevent the data importer from complying with its obligations under the SCCs. To support this warranty, the parties must undertake a “transfer risk assessment”.
The following dates provide a timeline for the introduction of the new SCCs:
- 27 June 2021 (20 days from publication): The Commission Implementing Decisions will enter into force.
- 27 September 2021: The Third Country SCCs must be used for any new data transfers of personal data from the EU/EEA to third countries from this date on. The old SCCs will be repealed. It will not be possible to add new data categories or processing purposes to old clauses.
- 27 December 2022: Data transfer agreements based on the old SCCs, and concluded before 27 September 2021, remain valid until 27 December 2022, provided the processing and subject matter do not change, and the existing clauses ensure appropriate safeguards are in place within the meaning of Schrems II and otherwise. They must however, be replaced with the Third Country SSCs from 27 December 2022.
The authors would like to thank Sarah MacMahon for her contribution to this article.