Categories
News Regulatory Updates

EU Regulatory Update – September 2021

The EU has replaced its standard contractual clauses with new standard contractual clauses (SCC) where personal data will be exported from the EU to certain countries which specifically includes the United States. The rules have become tighter. Here are the details:

EU New Standard Contractual Clauses adopted: Significant dates and key changes

The European Commission has issued new Standard Contractual Clauses (SCCs) that are applicable to transfer of data between EU Member countries and non- EU countries. The new SCCs entered into force 20 days following their publication in the Official Journal of the EU i.e. on June 7, 2021. A transitional period of 18 months has been allowed for incorporating new SCCs in the existing contracts. Until then, the existing contracts can rely on old SCCs.

The following are important dates/time lines with respect to new SCCs:

June 27, 2021:

New SCCs entered into force allowing entities to legally adopt them.

Period of 3 months from June 27, 2021 i.e. until September 27, 2021

Entities can continue to use old SCCs for execution of contracts.

Old SCCs cannot be used after September 27, 2021.

All new contracts must be executed incorporating new SCCs after September 27, 2021.

Period of 18 months until December 27, 2022

Though the entities can continue to use earlier contracts incorporating old SCCs, they must gradually replace old SCCs with new SCCs.

In case of renewals of contract or changes in the processing operations occurring within the next 18 months, entities must incorporate new SCCs in their contracts.

By December 27, 2022, all contracts must rely on the new legal instruments incorporating new SCCs and old SCCs must be entirely phased-out.

Given below are the key differences between Old and New SCCs:

ParticularsOld Standard Contractual Clauses (Old SCCs)New Standard Contractual Clauses (New SCCs)
Modular ApproachThe Old SCCs were entirely separate agreements for each transfer scenario (e.g., Controller-Processor and Controller-Controller)The New SCCs is single agreement with a modular approach The 4 transfer scenarios and modules given in the New SCCs are: Controller to Controller (Module One) Controller to Processor (Module Two) Processor to Processor (Module Three) Processor to Controller (Module Four)
Transfer ScenariosThe Old SCCs allowed data  transfers between Controller to Controller and Controller to Processor scenariosThe New SCCs in addition to data transfers between Controller to Controller and Controller to Processor scenarios   And also contemplate transfers between   Processor to Sub-Processor and Processor to Controller
Supervisory authorityThe Old SCCs did not expressly recognize that the data exporter can be established outside the EUThe New SCCs expressly recognize that the data exporter can be established outside the EU that falls within the scope of the GDPR.   If the data exporter is not established in the EU, the competent supervisory authority will be that of the Member State in which the European representative is established. Thus, the data importer would have to submit itself to such supervisory authority.
The Docking-clauseThe Old SCC did not have a docking clauseThe New SCCs enable use by multiple parties who may sign at a later stage.   Multiple controllers and processors may sign on to the same set of SCCs under the New SCCs.
The Schrems II effectFor transfers to the United States, businesses primarily relied on Privacy Shield and European Commission approved Standard Contractual Clauses.   On July 16, 2020, the EU Court of Justice (ECJ) invalidated the Privacy ShieldThe New SCCs addresses the Schrems II judgment. The New SCCs set forth:   Obligation on the data exporter to consider the level of protection of personal data in the country outside the EEA;   Obligation on the data importer to notify the data exporter of any inability to comply with the New SCCs, and a related obligation on the exporter to suspend data transfers or terminate the agreement
Declaration by the partiesNAThe parties need to give a declaration at the time of signing the New SCCs to the effect that – “they have no reason to believe that the laws and practices applicable to the data importer, including any requirements around disclosure to, or access by, public authorities, would prevent the data importer from complying with the New SCCs”
Transfer impact assessmentNABoth parties must conduct a “transfer impact assessment” that takes into account the following:   Specific circumstances of the transfer (for example nature of the data being transferred, type of recipient and purpose of processing)   The laws and practices of the country of destination that are relevant in light of the circumstances of the transfer   Safeguards put in place to supplement those under the New SCCs (including relevant contractual, technical, and organizational measures)  
Notify Data Exporter of Legal Request for DisclosureNAIf the data importer receives a “legally binding request” from a public authority for disclosure of transferred personal data, it must inform the data exporter and data subject where possible
Data subjects’ rightsIn Old SCCs, data subjects could take action directly against a data importer in case the data exporter has failed to take appropriate action against the data importer itself in spite of the data subject’s request.Under the New SCCs, data subjects are allowed to enforce certain rights as a third party beneficiaries against either the data importer or the data exporter
Onward transfersLimited provisions on onward transfersUnder the New SCCs, there are restrictions on onward transfers.  New SCCs do not allow data importer to disclose the personal data to any third party in the country of the data importer or in another country outside the EEA, subject to certain limited exemptions.
LiabilityLimited liability provisions for data subjectsThe New SCCs introduce strict liability provisions and each party is liable to the other party for any damages caused as a result of a breach of the New SCCs.

Implications

While there is a 15 month transitional period available to entities for adopting the New SCCs, they need to initiate the following:

Identify the data flows which will be impacted, and whether incorporation of new SCCs is necessary

Consider which modules of new SCC applies to their data transfers

Perform a “transfer impact assessment” for data flows to each country and document the result

Perform diligence on customers and third-party suppliers

Implement all necessary “supplemental measures” to improve data protections

Identify and scrutinize contracts with customers and third party suppliers and make necessary change

Data importers and data exporters must ensure compliance with the GDPR. Failure to implement new SCCs may make entities liable for litigation and other legal risks in Europe and also potential fines under the GDPR.