New EU standard contractual clauses for data transfer - all's well that ends well?
Applicable also for non-European companies
KUNZ Lawyers offers data protection audit and contract drafting services
1. Data protection as an essential part of compliance in the company
The international exchange of personal data is an essential factor in international trade. It must be secure and straightforward. For data subjects in the EEA, their processing must be carried out in accordance with the protection of data secrecy as an individual right of freedom granted by the General Data Protection Regulation (GDPR).
However, not only companies that are present in these countries through an associated company or branch are affected by this obligation. Rather, the GDPR also applies to companies that only operate out of non- EFTA countries, provided that goods or services are offered in an EFTA state or the behavior of data subjects who are resident in an EFTA state is being monitored. In such cases, a company from the USA or China, for example, must therefore comply with data protection under the GDPR. If such a non-EEA enterprise uses a service provider in the EEA, it is an importer of data. These are protected under the GDPR. The following statements therefore also apply to this company as the controller of such personal data.
Data protection violations can have serious consequences and should be an essential part of compliance requirements in companies of all sizes. Firstly, there is the threat of fines of up to EUR 20 million or 4% of annual turnover. Last year, Google (EUR 50 million) and H&M (EUR 35 million) had to make the highest payments. In addition, there is a risk of claims for damages by the data subjects and loss of reputation (name and shame). The list of violations and fines is publicly available.
The GDPR provides for various procedures to ensure the equivalence of data protection law in the importing state outside the EEA. One of these is the adequacy decision taken by the EU Commission with regard to the data protection law in the importing state. Only twelve countries worldwide currently meet these requirements. The USA and China, for example, are not included. With regard to the United Kingdom, the examination of equivalence is currently being carried out. The relevant transition period under the new trade agreement expires on June 30, 2021.
From a German perspective, in particular, the USA is THE central importing country for data transfers. This applies not only with regard to the transfer of personal data within transatlantic groups of undertakings. In this respect, companies can agree binding corporate rules for internal communication with the competent data protection authorities. The transfer of personal data that takes place in the external relationship essentially relates to the cloud services of U.S. providers such as Amazon, Microsoft and Google, which are used by companies of all sizes. These are global market leaders and as such, with their servers located in the USA, are importers of personal data on a large scale.
2. The Impact of the ECJ Decision Schrems II on the Invalidity of the Privacy Shield
In relation to the USA, the equivalence of data protection law was guaranteed in the past by an intergovernmental agreement, the so-called Privacy Shield. In its decision of July 16, 2020, known as Schrems II, the European Court of Justice (ECJ) had deemed this agreement to be incompatible with principles of data protection under EU law. This decision was effective immediately and caused considerable uncertainty among companies. As many as 5,300 companies are said to have made use of the Privacy Shield across Europe. Their data transfer to the USA lacked a legal basis overnight.
The U.S. Department of Commerce had already published a statement (White Paper, Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (commerce.gov)) on the decision in September 2020. It examines the standard applied by the ECJ to review U.S. data protection law. It argues that the court did not undertake any independent analysis of U.S. data protection law, but rather looked solely at the reasons given by the EU Commission in 2016 to justify the equivalence of U.S. data protection law to EU standards. The actual circumstances in U.S. data protection law in 2016 and the developments that occurred in the subsequent period are then presented in detail.
Schrems II does not only refer to the Privacy Shield as a basis for the legal transfer of personal data to the USA. Rather, the court also dealt with the so-called standard contractual clauses (SCC). These had already been adopted by the Commission in 2010 as a further basis for the lawful transfer of personal data to third countries. The decision also has implications for the transfer of data to a third country under the Binding Corporate Rules.
Before Schrems II, it was assumed that the stipulation of the SCC with the data importer alone legitimized the data transfer to the third country. In this respect, the ECJ had pointed out the lack of binding effect of the SCC vis-à-vis the authorities of the importing state. Therefore, an impact assessment by the parties with regard to the legal basis and scope of official measures is required. Depending on the outcome of this assessment, additional measures may be required to secure the transfer of data, such as certain forms of encryption.
3. The new standard contractual clauses - Modern and practical
The revision of the SCC, which was necessary anyway, allowed the Commission to also take into account the effects of Schrems II. The introduction of the SCC New was resolved by the Commission on June 4, 2021. Its Clause 14 contains the regulations on impact assessment. For the assessment of data protection law in the importing country, which takes place at the beginning of the contractual relationship, it is designed as a joint obligation of both parties. In the internal relationship between the data exporter and importer, special arrangements can be made individually in this respect. However, the SCC always take precedence. It makes sense for the data importer to carry out an initial impact assessment on site. He may also perform this task for other customers. The above-mentioned white paper from the U.S. Department of Commerce is a suitable starting point for assessing the legal situation in the United States.
It is certain that the regulations on impact assessment will lead to higher costs. These will probably have to be borne by the data exporter. The activities of the data importer to fulfill its obligations according to Clause 15 of the SCC New will also be allocated to the costs. These are extended compared to those under the previous Clause 5.
In addition, the following new provisions in the SCC New should be highlighted:
- The SCC New are modular, i.e. they apply to contracts between parties with different functions in the data processing chain. They address the relationship between several controllers, controller to processor, among processors (i.e. when a sub-processor is involved) and from the processor in the EU to the controller in the third country.
- The SCC New have the same effect as legally prescribed GTC. However, they always take precedence in the event of supplementary agreements between the parties.
- The SCC New grant the data subject (data owner) direct claims against data exporter and importer.
- According to the SCC New, the law of an EU member state which recognizes the beneficial effect of the SCC New on the data subject must be applied to them. The jurisdiction of the court of a member state must also be agreed. Otherwise, however, the data transfer to the third country does not take place on a lawful basis. This fact is known to the major service providers.
4. Deadlines for the application of the SCC New
The decision on the validity of the SCC New shall enter into force on June 27, 2021. The previous SCC are to expire three months later, i.e. on September 27, 2021. Therefore, all contractual relationships concerning the exchange of data with third countries would have to be converted to the SCC New by then.
However, the Commission grants a further period of 15 months, i.e. until December 27, 2022. Within this period, the existing SCC serve to legitimize data transfers to third countries if the following conditions are jointly met:
- The contract for the transfer of personal data was concluded before June 27, 2021,
- the processing operations remain unchanged, and
- for the specific circumstances of the data transfer the application of the previous SCC ensures appropriate guarantees allowing a legally permissible data transfer to the third country concerned.
With the last mentioned condition, it is likely that reference was to be made to the above discussed requirements for data transfer to third countries according to the decision in the Schrems II case, i.e. Clause 14 of the SCC New. Then, however, in our view the SCC New may also be agreed promptly, i.e. without recourse to this additional period, at least in cases of data transfer to problematic third countries, by 27 September 2021 at the latest. This applies in any case in those cases in which otherwise no complex issues are to be settled between the parties.
5. The Kunz data protection check and conclusion of GDPR-compliant data processing agreements
The above statements are evidence of the need to carry out a data protection check based on a checklist focused on the essential aspects in the data exporter's company by September 27, 2021, on the occasion of the introduction of the SCC New. The GDPR has created uniform data protection law throughout Europe. Therefore, in principle, the same checklist can be used in all countries.
This internal compliance audit should essentially cover the following topics and be accompanied by lawyers experienced in the subject matter:
- Inventory of cases in which personal data are transferred by the company to a third country outside the EFTA zone;
- Verification of the legal basis for the data transfer - compliance with the requirements of the GDPR for a lawful transfer of the data to the respective third country concerned;
- If data is exported to a country whose data protection law is not considered as equivalent by the EU: Examination of the data protection law of the importing country: Are additional measures required to ensure the level of data protection in the importing country is equivalent to the requirements of the GDPR? If yes, determination of which ones.
- Stipulation of the SCC New with the data importer, if necessary combined with individual special agreements and additional regulations for the implementation of the additional measures according to lit. c) above.
As a result of the comments in No. 4 above, we believe that the data protection check and the conclusion of the new agreements on data export should be completed by September 27, 2021, where possible. This applies in any case to the need for regulation resulting from the impact assessment. KUNZ Lawyers provides this data protection check for you and supports you in the negotiations and conclusion of new agreements or amendments to existing ones. In order to check the data protection law in the importing country with regard to its equivalence, KUNZ can call in its trusted and reliable cooperation law firms abroad providing efficient and high quality results.
For all these activities, the proven team around the experts for data protection law, Ms. Tanja Risse and Mr. Hareth Ghalaini, attorney-at-law, is at your disposal, with support with regard to foreign legal systems by Dr. Hermann Knott, attorney-at-law (New York).
We will be happy to submit an offer to you. We assure prompt, personal, reliable and high-quality consulting.
With the SCC New, we see a solid basis for making the transfer of data to third countries outside the EEA secure and effective for our clients and in this way minimizing risks of a financial and other nature. With our data protection check, we aim to meet the highest standards for GDPR-compliant transfer of personal data abroad, especially to the USA.
The key to success lies in the assessment of the legal situation in the third country concerned and the establishment of an appropriate control mechanism combined with a plan for adequate additional measures.
Contact us - we will be happy to support you.
Dr. Hermann Knott, LL.M (UPenn)
Rechtsanwalt, Attorney-at-Law (New York)
Antoniterstraße 14 – 16
50667 Cologne, Germany
o +49 221 921 801 587
c +49 151 576 28 456