EU Issues Revised Model Clauses for International Data Transfers


Post By: André Bywater, Lawyer (Partner) with Cordery Compliance, London, UK

What’s this all about?

The European Commission has now finalised and published new tools for international (personal) data transfers. This blog looks at this latest development in brief. The views expressed are those of the author and do not constitute legal or other professional advice – if you require legal or other advice you should consult your professional adviser for this.

Why is the EU doing this?

Under EU privacy/data protection rules (GDPR etc.) international data transfers can only be made in certain ways and subject to various conditions – probably the most relied on mechanism are the so-called standard/model contract clauses (“SCCs”). SCCs consist of a contract entered into between a data exporter and a data importer that impose certain data protection obligations on both parties.

SCCs have long been overdue an upgrade which was given even more of an impetus following the European Court’s summer 2020 Schrems ruling that invalidated the EU-US Privacy Shield and introduced further due diligence on data transfers under model clauses. Late last year the European Commission issued revised draft SCCs which were first subject to a public consultation and have now been finalised and officially published.

What are the highlights?

The new SCCs combine general clauses with a modular approach to cater for various data transfer scenarios. The basic four types of transfer scenarios under the new SCCs are: data controller to data controller; data controller to data processor; data processor to data processor; and, data processor to data controller. So, in addition to using general clauses, data controllers and processors will need to select the module applicable to their situation in order to customise their obligations under the new SCCs to their role and responsibilities in relation to the data processing in question.

In line with the European Court summer 2020 Schrems ruling, parties to the new SCCs will need to take account of the specific circumstances of a given data transfer, including the data exporter doing due diligence on the data importer and the relevant laws and practices of the third country of destination (where the data is to be sent to).

Depending on a given situation, safeguards (legal and/or technical) may need to be put in place to supplement those under the SCCs. A particular issue to be addressed is how to deal with requests from public authorities in the importer country for disclosure of transferred personal data. There is also a warranty requirement to say that there is no reason to believe that the laws in the importer country prevent the importer from fulfilling its obligations under the SCCs.

The SCCs also set out clauses addressing liability between the parties and with respect to data subjects, and about indemnification between the parties. Parties must be able to demonstrate compliance with the SCCs, notably through documentation about data processing activities.

What dates do I need to be aware of?

The new SCCs are in force from 27 June 2021.

The existing sets of EU SCCs (i.e. under the EU data protection regime prior to GDPR) are repealed as from 27 September 2021.

Agreements made on the basis of what will become the repealed SCCs remain valid until 27 December 2022, but only so long as data processing operations that are the subject-matter of the agreement remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards – if changes to the agreement are made this will basically mean having to replace it with the new SCCs.

What about enforcement?

Enforcement of EU data transfer rules is a hot topic at the moment particularly with the recent announcement that German data protection regulators have agreed on a questionnaire-based approach as a prelude to enforcement. There has also been activity in other countries such as Portugal where there has been a suspension of data transfers to Cloudflare despite SCCs being in place.

What are the takeaways?

There’s now more work involved with SCCs. In order to be compliant consider doing the following (which is by no means an exhaustive list).

Do an audit of all of your existing SCCs to be able to replace them and prepare a methodology to do this – the new modular approach will require time and resources to adapt to.

Whilst the transition period until the end of 2022 might seem some time away many organisations will either have many existing SCCs to eventually replace or plenty of new ones to introduce, so make time to make the changes and prioritise the order of the ones to change. Bear in mind also that if a contract between parties is renegotiated or otherwise changed during that transition period the new SCCs are the ones that will have to be (immediately) applied and so the work required to then change to the new SCCs will have to be turned around quickly. Remember too that even if you are able to rely on your existing SCCs (until the end of 2022) you must still have done your European Court Schrems summer 2020 ruling due diligence (on the destination country etc.) with respect to them.

When putting together your new SCCs take care because the SCCs cannot be modified except to add or update certain information concerning details about the data exporter and importer, the description of the data transfer, the technical and organisational measure in place, and, the list of sub-processors – parties can include the SCCs in a wider contract and add other clauses or additional safeguards but only provided that they do not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects.

Data exporters should create questionnaires to send to proposed data importers to do due diligence on those importers about the laws and practices of the importer country (where personal data is to be sent to), and to also do due diligence on the data importers themselves.