Update of Standard Contractual Clauses: the deadline is approaching

All relevant stakeholders must update their Standard Contractual Clauses (SCCs) before 27 December this year to comply with the GDPR. This deadline should be considered critical, as a breach of the GDPR can result in fines of up to EUR 20 million or 4 % of a company’s annual global turnover (whichever is higher).

The new SCCs where actually provided by the European Commission (the Commission) last year. Thus, any new agreements entered into after 27 September 2021 must use the updated SCCs as their basis for the third-country transfer of personal data. The deadline of 27 December this year, however, is set for agreements entered into before that date. If they are not updated in time there will be a breach of the GDPR, which can result in very large fines. Below is some background on why the Commission updated the SCCs and which stakeholders are affected by them.

The SCCs are a special set of clauses approved by the Commission. That means that parties that rely on the SCCs for third-country data transfers are not allowed to alter them, except when it is explicitly stated in the SCCs that parties may choose to include or omit different clauses. These clauses regulate responsibilities for data controllers (which transfer personal data outside the EU), as well as responsibilities for data controllers/data processors (which receive that data). There are four different alternatives of SCCs, namely (i) two alternatives comprising personal data transfer outside the EU to data controllers and (ii) two alternatives comprising personal data transfer outside the EU to data processors.

The Schrems II judgement was discussed in an article in one of our previous Life Sciences Reports. The new SCCs reflect the enhanced requirements on privacy protection in relation to the transfer of personal data to countries outside the EU, which stem from that judgement (This judgement invalidated Privacy Shield, the basis on which EU-US data transfers relied.). The new SCCs, for example, include instructions on supplementary measures, e.g. encryption or pseudonymisation, that companies may take if necessary and the obligation of an assessment of the laws in the country of the recipient.

When the new SCCs were introduced, many hoped that their use, together with a data processing agreement (DPA), would be enough to meet those enhanced requirements. This, however, is not always the case. When it comes to the transfer of personal data to the US (which was the case in Schrems II), several supervisory authorities (Austrian, French and Italian) ruled at the beginning of this year that such safeguards are insufficient. The cases concern the use of Google Analytics, but any transfer of personal data to the US is affected by them. Hence, to this date, there are still difficulties in providing a safe way of transferring personal data to the US, as US-based companies cannot ensure adequate protection of the personal data (due to certain US legislation, which allows for US-based governmental and intelligence agencies to access the personal data). However, it should be noted in this regard that, on 7 October, President Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”. This Order, in combination with accompanying Regulations, implements the commitments that were made by the US in March of this year. Following this, the Commission will be able to move forward by proposing a draft adequacy decision and launch its adoption procedure. We will monitor any updates on the matter closely.

The new SCCs are, however, considered sufficient to ensure safe third-country data transfers in most cases. Other ways of ensuring safe third-country data transfers are by using (i) Binding Corporate Rules, (ii) approved codes of conduct or certification mechanisms or (iii) legally binding instruments between authorities. In addition to the aforementioned, there must be statutory rights, the data subjects (i.e. the individuals whose data is being processed) must be able to complain about the personal data processing and have it examined by a court.

To sum up, the SCCs can be used as a basis when transferring personal data outside the EU, although the transfer of personal data to the US cannot be based solely on the SCCs. If necessary, additional measures such as pseudonymisation and encryption can be used as well. The Commission has updated the SCCs, in part to comply with the Schrems II judgement. The SCCs must be updated before 27 December to comply with the GDPR. If this is not done in time, there will be a breach of the GDPR, which can result in fines of up to EUR 20 million or 4 % of a company’s annual global turnover (whichever is higher). So it is important for all relevant stakeholders to make this update in time.

Setterwalls is a top ranked law firm when it comes to data protection and assists our clients in their data protection work. If you have any question regarding the above or need our assistance in your work with the replacement of the old SCCs, please contact us.