Concluding the Saga? The New SCCs for GDPR-Compliant Third-Party Data Transfers Have Arrived
On 4 June, the European Commission (EC) published its finalised version of the new Standard Contractual Clauses (SCCs) for transferring personal data from the EU to third countries (the new SCCs). The new SCCs allow companies and other data importers in third countries to move forward with greater certainty in developing legitimate data transfer mechanisms.
Key Takeaways from the New SCCs:
- The new SCCs enter into force on 27 June 2021 and data exporters must restructure data transfers to meet the requirements of the new SCCs by 27 December 2022.
- Data exporters who are not in a position to comply with the obligations outlined in the new SCCs can enter into new contracts relying on the previous draft SCCs until 27 September 2021.
- The new SCCs continue to allow companies to adopt a risk-based approach when assessing whether a third country’s access laws and practices provide adequate protections.
- The new SCCs rely on a modular approach and are designed to be more flexible and more responsive to the commercial realities of EU-third country data transfers.
- While more responsive to commercial realities, the new SCCs impose GDPR-like principles for processing personal data on data importers, which is a higher administrative burden for data importers.
- The new SCCs impose higher data security standards than previous versions.
Background on the New SCCs
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the long-negotiated Privacy Shield. This mechanism had been implemented to facilitate the legal transfer of personal data between the EU and the US.
In giving their judgement (known as Schrems II), the CJEU ruled that the SCCs were a valid mechanism for the transfer. However, they also noted that controllers relying on SCCS for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection for the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
As a result, the European Commission published the new Draft Standard Contractual Clauses in November 2020, alongside the guidance on supplementary measures for non-EU transfers. The new SCCs build upon the changes made in the draft SCCs and are a more permanent mechanism to facilitate the flow of data from the EU to third countries.
We wrote about the draft SCCs following their release last year. Read that release here: https://privacy108.com.au/insights/transferring-data-out-of-the-eu-draft-sccs-and-supplementary-measures/
Do the New SCCs Apply to Australian Data Transfers?
The new SCCs should be relied on to facilitate data transfers between the EU and any third country (outside of the European Economic Area) that has not received an adequacy decision. At the time of writing, Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay have been recognised by the EC as providing adequate protection. South Korea may be added to that list, with its adequacy decision currently pending.
You can find up-to-date information about adequacy decisions here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
The new SCCs also clarifies the position for non-EU based entities covered by the GDPR by virtue of the extraterritorial scope provisions in Article 3(2). In its implementation of the new SCCs, the European Commission notes that:
- the data exporter under the SCCs can be a non-EU entity; and
- SCCs are not required for transfer to non-EU based data importers (brought within the scope of the GDPR by Article 3(2)).
The need to comply with the ex EEA transfer provisions was previously a bit of a conundrum for Australian-based organisations, as the GDPR could apply to them but as exporters they technically could not use the previous SCCs (because they were not established in the EU) and as importers they had to treat the importing as a cross border transfer even though they were subject to the GDPR.
A summary of the key features of the new SCCs
Like we saw in the draft SCCs, the new SCCs are available not just for controller to controller or controller to processor transfers, but also for the transfer of data from processor to processor (or processor to sub-processor).
The EC has also retained a risk-based approach when assessing data subject protections in a destination jurisdiction. Specifically, the new SCCS note at (19):
The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. In this context, laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 should not be considered as being in conflict with the standard contractual clauses. The parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.
Emphasis is ours.
Greater Alignment of the SCCs with the GDPR
This is a theme throughout the new SCCs, with reporting requirements for data breaches and data processor and technical safeguards now aligning more closely with the GDPR than previously.
Greater Security Requirements
The new SCCs require data importers and data exporters to “implement appropriate technical and organisational measures to ensure the security of the personal data”. Parties are required to outline the agreed security measures in Annex II in specific detail.
Examples of possible measures include:
- Measures of pseudonymisation and encryption of personal data
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- Measures for user identification and authorisation
- Measures for the protection of data during transmission
- Measures for the protection of data during storage
- Measures for ensuring physical security of locations at which personal data are processed
- Measures for ensuring events logging
- Measures for ensuring system configuration, including default configuration
- Measures for internal IT and IT security governance and management
- Measures for certification/assurance of processes and products
- Measures for ensuring data minimisation
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure.
You can read more about GDPR requirements and download a free whitepaper on an innovative encryption process designed to meet GDPR cross-border transfer requirements here: https://privacy108.com.au/insights/a-solution-to-the-trans-atlantic-data-transfer-problem-cryptoloc/
Onward Data Transfers
The new SCCs introduce tougher rules on onward data transfers. Any onward transfer is only permitted where the data subject is offered equivalent protections, either through the onwards party acceding to the SCCs, informed consent of the data subject, or another measure that promises continuity of the protections.
Data Subject Supervision
The new SCCs permit data subjects to lodge a complaint with the supervisory authority (SA) in the member state in which they work or reside or with the SA outlined in Annex I.
What do you need to do now?
You should have already undertaken the inventory and preparation process outlined in the European Data Protection Board (EDPB) draft guidance in supplementary measures to the SCCs.
Based on that inventory, you should analyse the new SCCs to determine whether they affect your operational processes and whether your protections (particularly your technical measures) are sufficient. This assessment should be based on a documented process, and you should create documents outlining your decision making for each data transfer.
Once you’ve performed the assessment, prepare and implement new contracts that replace the old SCCs with the new SCCs prior to 27 December 2022.
If you need assistance undertaking the relevant assessments under the new SCCs, don’t hesitate to reach out.