The publication by the European Commission of new standard contractual clauses for the transfer of personal data outside the European Union represents a key step in the transition to a new regulatory framework in this area.
Thus, it follows the invalidation of the "Privacy Shield" by the Court of Justice of the European Union (CJEU) in its "Schrems II" judgment[1].
Since the 16 July 2020 decision, cross-border transfers of personal data have become a major concern for businesses. Indeed, organisations using US IT solutions (e.g. AWS, Google Analytics, Microsoft Office, DocuSign, etc.) now need to monitor the presence of data transfers to the US to ensure compliance.
It is in this context that the adoption of new Standard Contractual Clauses has been long awaited by a very large number of actors, well beyond the digital sector alone.
What are the SCCs (standard contractual clauses) ?
As the name suggests, the "Standard Contractual Clauses" or "SCCs" are a contractual model, approved by the European Commission. When a company located in Europe wishes to transfer personal data to a "third country" outside the EU, it can sign an agreement with the recipient that includes the SCCs to govern the transfer.
By signing the SCCs, the recipient in the third country undertakes to ensure an adequate level of data protection, even if the laws of the country in question are less protective than those in force in Europe. Thanks to the simplicity of their implementation, SCCs form in practice the legal basis for most cross-border transfers of personal data. For example, they are incorporated into the general terms and conditions of many major web-based businesses.
Why change the standard clauses ?
The Schrems II judgment has largely undermined the use of SCCs. In summary, the CJEU ruled that while SCCs are binding on the recipient of the data established in a third country, they are not binding on the authorities of that country, "since they are not parties to the contract". Therefore, the signing of SCCs is not always sufficient to ensure the protection of transferred data, especially when the country of destination allows its intelligence authorities to "interfere with the rights of data subjects in relation to that data".
Thus, it is up to the company to assess the level of data protection in the country in question. In addition, the implementation of "additional measures" to protect the transferred data may be necessary in some cases.
Faced with these new obligations, European and global economic actors turned to the European authorities for clarification. Not least among their expectations was the modernisation of the SCCs. Indeed, the current and commonly used versions dated from 2001, 2004 and 2010 (depending on the precise nature of the transfer): well before the RGPD came into effect in May 2018.
As a result, the publication of the new CLAs on 7 June 2021 has generated a wave of interest among digital, legal and business professionals more commonly.
The new SCCs: what are the changes ?
The 'new' SCCs modernize the SCC mechanism in several aspects. In particular, for the first time, they provide a framework for transfers from a "processor" of personal data (e.g. a cloud storage provider) to a sub-processor.
In addition, the new SCCs take into account the impacts of the Schrems II decision by providing, in particular :
Thus, in practice, the signing of the new SCCs will impose a contractual obligation on exporters and importers of personal data to carry out the steps foreseen by the Schrems II judgment, namely (i) the analysis of the legislation of the third country of destination and (ii) the implementation of additional measures, if necessary.
The risk-based approach ?
Despite this apparent strict contractualisation of the Schrems II requirements, the new STCs seem to leave room for a more flexible "risk-based approach" called for by some data protection professionals.
Indeed, the SCCs specify that the parties must take into account the "specific circumstances" of the data transfer, including "the length of the processing chain, the number of actors involved, and the transmission channels used ; the intended onward transfers ; the type of recipient ; the purpose of the processing ; the categories and format of the personal data transferred ; the economic sector in which the transfer takes place and the place of storage of the transferred data”.
Thus, it could be argued that the additional measures to be applied will depend in particular on the risk associated with the transfer. For example, sensitive or highly personal data (health data, financial data, data concerning family life, etc.) will require a higher degree of vigilance with regard to additional security measures and verification of the laws of the destination country.
However, the question remains of the attitude of the European supervisory authorities (in France, the CNIL) and the courts in interpreting this new text.
The set up
The European Commission's decision adopting the new SCCs will enter into force 20 days after its publication in the Official Journal of the European Union, i.e. on the 27th of June. The old CTCs of 2001, 2004 and 2010 will be repealed on the 27th of September 2021 but will remain in force for a further 15 months for contracts concluded earlier, provided that the salaries covered by the contract remain unchanged.
In practice, this timetable means that economic actors have until December 27, 2022 to amend their existing contracts to incorporate the new versions of the clauses, if necessary.
TEAM DATA
[1] CJEU, 16 July 2020, DPC v Facebook Ireland Ltd and Schrems (known as Schrems II), Case C-311/18.