New EU Standard Contractual Clauses: 10 things to know and implications for the United Kingdom

Last month, the EU Commission published the new standard contractual clauses for the transfer of personal data from the EU (the “New EU SCCs”). The New EU SCCs will replace the previous standard contractual clauses adopted pursuant to decisions of the EU Commission under the Data Protection Directive 95/46/EC (the “Old EU SCCs”). In this Law-Now, we set out some key points to note in relation to the New EU SCCs, and the implications for the United Kingdom.

Key points on the New EU SCCs

1. The New EU SCCs represent an update to the Old EU SCCs to reflect the provisions of the EU GDPR. As a result, the New EU SCCs are more onerous, especially on the data importers, than the Old EU SCCs. When being used, they should be read carefully by the parties to ensure that their provisions can be, and are, complied with.
2. The Old EU SCCs only provided for controller to controller and controller to processor transfers. The New EU SCCs in addition, provide for transfers from processors to (sub)processors and from processors to controllers.
3. The Old EU SCCs were dealt with in separate documents (two variants for controller to controller transfers and one for controller to processor transfers). The New EU SCCs are dealt with in just one document, with ‘modules’ that will or will not apply, depending on the nature of the data exporter and data importer (i.e. whether they are a controller or a processor).
4. For some provisions in the New EU SCCs, the parties will need to select between certain options.
5. Under the Old EU SCCs, it was only possible to have two parties. For the New EU SCCs, it is possible to have more than two parties and to also add additional parties pursuant to a ‘docking’ (accession) clause.
6. For controller to processor transfers, the provisions of the New EU SCCs can also be used to satisfy the requirements under Article 28 of the EU GDPR (which essentially requires controllers and processors to have in place a contract containing certain minimum mandatory terms). There is an argument that technically speaking, given the way the New EU SCCs describe the personal data covered by the New EU SCCs, that this would only cover the processing by the processor of personal data actually transferred to it from the controller and thus not cover any personal data otherwise collected or generated by the processor. Additional provisions would be required to address this gap.
7. For existing controller to processor transfers, many of the provisions in the New EU SCCs should already be broadly reflected in data processing agreements between the controller and processor used to satisfy the requirements under Article 28 of the EU GDPR. However, the precise language will be different, including in relation to the appointment of sub-processors and audit rights, which we find are generally the most hotly negotiated provisions in data processing agreements.
8. The New EU SCCs introduce sections on “Local laws and practices affecting compliance with the Clauses” and “Obligations of the data importer in case of access by public authorities” designed to address some of the requirements set by the European Court of Justice in the “Schrems II” case for reliance on standard contractual clauses for international personal data transfers. However, these only address contractual ‘supplemental measures’ and to not relieve the parties from performing a transfer impact assessment and having to adopt further supplemental measures if necessary.
9. The parties must agree on and stipulate the governing law for the New EU SCCs together with the jurisdiction for disputes. Other than for processor to controller transfers, the governing law must be that of a stipulated EU Member State that allows for third party rights, and disputes must be resolved in the courts of a stipulated EU Member State (or for cases brought by a data subject, in the courts of the country of their habitual residence if in the EU).
10. Until 27 September 2021, organisations can continue to enter into the Old EU SCCs, or use the New EU SCCs if they choose. After 27 September 2021, only the New EU SCCs must be entered into. Any Old EU SCCs entered into before 27 September 2021 must be replaced with the New EU SCCs by 27 December 2022, or earlier if there is a change in the underlying data processing.

Implications for the United Kingdom

1. The New EU SCCs cannot be used for transfers of personal data from the UK.
2. Organisations transferring personal data from the UK in reliance on standard contractual clauses (and of course supplemental measures as required), must at present use the Old EU SCCs or forms of the Old EU SCCs changed in line with guidance from the UK Information Commissioner’s Office (“ICO”) so they make sense in a UK context and provided the legal meaning of the Old EU SCCs is not changed. For example, changing references from the Data Protection Directive 95/46/EC to the UK GDPR.
3. The ICO is expected to publish for consultation new standard contractual clauses for transfers of personal data from the UK within the next few weeks. Once adopted, these clauses are expected to replace the Old EU SCCs (and modified versions thereof) for use in the UK, however, the timescales for doing this are not yet known.