New SCCS Under GDPR: Are Organizations Ready?

By Arya Tripathy on September 28, 2021

Introduction

Article 46 of the General Data Protection Regulation (GDPR) lays out the alternative grounds that would allow a controller or processor to transfer personal data (PD) to a foreign jurisdiction which is not recognised as adequate. One of them is standard data protection clauses adopted by the European Commission. On June 4, 2021, the Commission adopted a set of New Standard Contractual Clauses (New SCCs) replacing the earlier ones that were framed under the 1995 Data Protection Directive (Old SCCs). New SCCs come up with a “modular” structure, addressing certain practical issues encountered in international data transfers with the objective of catering to digital economy developments, new and more complex processing operations involving multiple levels, prolonged processing cycles, and evolving business relationships. New SCCs were implemented with effect from June 27, 2021 and provide different timelines for existing and new transfer arrangements. For the existing ones entered before June 27, 2021 that incorporate Old SCCs, parties can continue to rely on them and transfer PD till December 27, 2022. Any new arrangement after September 27, 2021 must be using New SCCs. Those which are entered into between June 27 and September 27, 2021, can still follow Old SCCs, and will be valid till December 27, 2022. With these bifurcated timelines, organisations have been provided with transition period to ensure that their transfer processes and mechanisms are upgraded to New SCCs.  

As the 3 months’ window till September 27, 2021 lapses, this post provides a quick recap and overview of the New SCCs.

1. Validity of SCCs: The validity of using Old SCCs for cross-border data flow was challenged in Schrems II case (Data Protection Commissioner vs. Facebook Ireland Limited, Maximillian Schrems (C-311/18)). Brief background and timeline leading up to Schrems II:

2000: European Commission adopts decision recognizing EU-USA safe harbour arrangement as adequate for data transfers from EU to USA; safe harbour essentially was a self-assessment and certification mechanism.

2013: In light of Snowden revelations on USA surveillance practices, Maximillian Schrems lodges a complaint with the Irish data protection authority, requesting investigation into Facebook Ireland’s practice of transferring user data to Facebook Inc. servers in USA and the level of protection provided under safe harbour.

2015: Court of Justice of the European Union (CJEU) invalidated safe harbour arrangement due to lack of adequacy in Schrems I (Maximillian Schrems v. Data Protection Commissioner (C-362/14)) ruling. Facebook Ireland explained that much of its data transfer was pursuant to SCCs. In December 1, 2015, Max Schrems reformulated his complaint to question sufficiency of SCCs in light of invasive USA surveillance programmes that breached fundamental rights of privacy and recourse to effective legal remedies.

2016: Meanwhile, European Commission and US Department of Commerce began designing a data transfer mechanism EU-US Privacy Shield Framework which was deemed adequate and in line with EU data protection principles.

2018: On reformulated complaints from Max Schrems, Irish high court referred the question to CJEU.

2020: CJEU invalidated the EU-US Privacy Shield BUT upheld validity of SCC based transfers with a word of caution – assess the level of protection afforded in the importer jurisdiction and provide additional safeguards. The ruling solidifies the need for transfer impact assessment (TIA). Simply put, TIA requires the exporter to evaluate the state of law in the importer jurisdiction, and if it does not provide a comparable degree of protection as is provided under GDPR, SCCs must be supplemented with other measures for valid data transfer.

Thus, a series of events leading up to Schrems II ruling establishes the validity of SCC based transfers, although TIA on case-to-case basis is critical. Consequently, now, exporter organisations have evolved TIA processes (often initiated as checklists) to require information and verify actual measures implemented by importers. They evaluate the impact over a span of 3 to 7 years depending on the sensitivity of transferred PD, jurisdiction, state of data protection laws, technical measures implemented and purpose of the transfer, and other relevant factors. Nonetheless, a uniform theme for TIA is to evaluate the state of surveillance and intelligence exercise by government and whether there are sufficient checks and balances on unlawful access to PD, and to this effect, New SCCs formalise some of the key aspects, as discussed later.

2. New SCCs structure: New SCCs are poised to provide contractual safeguards on first-hand and onward data transfer scenarios. The clauses cannot be modified, but can be made part of a wider contract or augmented with stricter standards. Clauses which are contrary to New SCCs shall be superseded, and interpreted in line with GDPR. It defines “data exporter” as a legal or natural person and any other public authority/agency/body that is in EU or is governed by GDPR due to its long-arm jurisdiction and transfers PD to an inadequate jurisdiction. The recipient is a data importer. With a “modular” approach, New SCCs contemplate 4 categories of cross-border data transfer: (i) controller to controller (C-C), (ii) controller to processor (C-P), (iii) processor to processor (P-P), and (iv) processor to controller (P-C). Parties have to identify the appropriate module, include relevant clauses, and this will set the house in order as Old SCCs only catered to C-C and C-P scenarios. Along with these modules, New SCCs provide 3 annexures that must be used to substantiate details of the data transfer, technical and organisational measures for security of data, and list of sub-processors (where applicable).

New SCCs also introduce an optional docking clause. This clause will allow third-parties who become associated with the transfer and processing cycle at a later stage, accede to the already executed contract. Multiparty contracts for cross-border transfer were used in practice under Old SCCs, and this practice has been formalised, thereby making overall contracting matrix simpler. This does not mean that organisations can no longer execute new contracts to induct a new party should they decide to follow that route.

3. TIA and related matters: Clauses 14 and 15 of New SCCs rely on impact assessment, warranty, pro-active notification and implementation of additional safety measures as key pillars of a rigorous TIA. Exporter and importer must warrant that there is no reason to believe that destination jurisdiction laws and practices, including the legal need to disclose PD to authorities will prevent the importer form complying with New SCCs. The underlying understanding for this warranty is that local laws have only proportionate digressions and respect fundamental rights and freedoms. In order to provide this warranty, parties must conduct TIA that takes into account the specific circumstances of transfer (like processing purpose, duration, chain, transmission medium, onward transfers, etc.), local laws and practices, and relevant data protection measures. This is a continuous exercise, which is where identifying certain time duration as discussed earlier becomes relevant. Accordingly, importer must provide all relevant information to and cooperate for continued compliance with the exporter. The findings must be documented and made available to competent supervisory authority when required.

Going ahead, if importer believes that local laws and practices (such as change of law, or a disclosure request ) are no longer aligned with the original warranty, they must notify the exporter promptly. Pursuant to such notification or if exporter has other reasons to believe that importer can no longer comply with New SCCs, then, it must promptly identify appropriate measures to ensure security and confidentiality. Should such measures not be possible, exporter must suspend PD transfer and may terminate the contract as well.

As a necessary corollary, New SCCs also impose pro-active notification obligation on importer where it receives a legally binding instruction to disclose PD from any public or judicial authority under the local laws, or where such authority has gained access to PD. If local laws prohibit such notification, importer must on a best-efforts basis obtain waiver, so as to be able to communicate such information to exporter. Additionally, it is obligated to review the legality of the request for disclosure and to challenge and seek interim relief if it concludes that there are reasonable grounds to consider such access request unlawful. This legal assessment must be documented and made available to the exporter and to competent supervisory authority on request.

4. Data protection safeguards: Under each of the modules, New SCCs provide for specific clauses catering to purpose limitation, transparency, accuracy, data minimisation, storage limitation and other related processing aspects. These are aligned with the core data processing principles and take into account the fundamental rule that processing should be at behest of controller’s directions. Below table provides an overview of these contractual requirements per module:

#	Contract clause	C-C	C-P	P-P	P-C
A.	Purpose limitation on importer’s processing scope	Processing must be for purposes specified in New SCC annexure For any other purpose, process (i) with data subject consent, (ii) where necessary for establishing, exercising, or defending legal claims, or (iii) where necessary to protect data subject’s or any natural person’s vital interests	Only and strictly as mentioned in New SCC annexure and in compliance with directions from controller	Same as C-P	N/A
B.	Transparency obligation	Importer (being a controller in its own right) must notify data subject about its identity and contact details, PD categories, their right to obtain a copy of executed SCCs, and details of onward transfer Notice obligation is subject to whether data subject already has the information, or if compliance is impossible, or if it entails disproportionate efforts	Exporter as controller to make copy of executed SCCs available to data subject free of charge, with redactions for confidential information and business secrets Redaction should not deny data subject the right to receive a meaningful summary	Same as C-P	N/A
C.	Data accuracy and minimisation	Ensure that PD is accurate, and if necessary, kept updated by both parties Where one party gets knowledge that PD is inaccurate/outdated, promptly inform the other party Importer to ensure that PD is adequate, relevant and limited to what is necessary for processing purposes	Importer on getting knowledge that PD is inaccurate/outdated must inform exporter promptly and cooperate with exporter to erase or rectify PD Nothing on minimisation as this has to be primarily decided by the controller	Same as C-P	N/A
D.	Data retention and allied matters for importer	Parties must not retain PD longer than what is necessary for processing purposes Must put in place appropriate technical and organisational for complying with this retention limitation, including erasure or anonymisation at end of retention period	Importer must process only for duration prescribed in New SCC annexure At end of such duration, importer shall at exporter’s discretion delete all PD, certify such deletion OR return PD and delete existing copies Until such time PD is purged or returned, importer must comply with New SCC If applicable local law does not permit deletion or returning of PD, importer must comply with New SCC and process PD only to the extent and duration required under law	Same as C-P	N/A
E.	Ensuring security of PD by importer	Must implement appropriate technical and organisational measures for security of PD including protection against breach situations Adequacy of security must take into account state of the art, implementation costs, nature, scope, context and purpose of processing, and risks involved Parties will agree and add the security measures in New SCC annexure Regularly check the sufficiency and resilience of these measures If PD is sensitive data such as biometrics, racial, etc., importer shall deploy additional safeguards Authorised persons having access to PD must be committed to confidentiality If a data breach occurs, importer must take appropriate measures to address and mitigate the adverse effects and notify exporter plus competent supervisory authority, and if risk is high, inform data subjects as well	Must implement technical and organisation measures for security of PD and in the least comply with those listed in New SCC annexure including any which are particular to sensitive data, plus regularly check those measures Grant access to PD to its personnel strictly on a need-to-know basis i.e., if needed for implementation, management and monitoring of the contract with exporter Ensure that those with access are bound by confidentiality Where a breach occurs, take appropriate measures to address and mitigate risks, notify exporter promptly and cooperate and assist exporter to comply with its obligations under GDPR	Same as C-P	Both parties must implement appropriate security measures Exporter shall assist importer in ensuring appropriate security and if there is breach, notify and assist the exporter Exporter shall ensure that personal with access are committed to confidentiality
F.	Onward transfers by importer	Cannot transfer PD to any country outside EU (including importer’s own jurisdiction, unless third party: Docks into the executed New SCCs Belongs to an adequate jurisdiction under Article 45 of GDPR Ensures appropriate safeguards under Article 46 or 47 of GDPR Enters into a binding instrument that ensures same level of protection as under New SCC and importer provides a copy of the same to exporter Necessary for establishment, exercise or defence of legal claims Necessary to protect the vital interest of subject or any other natural person If none of the other conditions apply, subject has consented to onward transfer	Cannot transfer PD to a third party (not even in EU) unless there are documented instructions from exporter; and additionally, if third-party is outside EU, cannot be disclosed unless, Docks into executed New SCs Belongs to an adequate jurisdiction under Article 45 of GDPR Ensures appropriate safeguards under Article 46 or 47 of GDPR Necessary for establishment, exercise or defence of legal claims Necessary to protect the vital interest of subject or any other natural person	Same as C-P	N/A
G.	Documentation & compliance	Each Party should be able to demonstrate compliance with New SCC Importer should keep processing records and make it available to competent supervisory authority when required	Parties must demonstrate compliance with New SCC Importer specifically must (i) promptly and adequately deal with queries from exporter, (ii) keep processing records, (iii) make available to exporter all information necessary to demonstrate compliance, (iv) at data exporter’s request allow audit of processing activities	Same as C-P	Each Party should be able to demonstrate compliance with New SCCs, and exporter to provide necessary information to importer for demonstrating compliance
H.	Sub-processors	N/A as transfer is between controllers	2 options – specific prior OR general written authorisations Importer to execute a written contract with sub-processor that is aligned in substance with New SCCs; provide a copy of this agreement to exporter and remain fully responsible for actions and obligations of sub-processor Agree to third-party beneficiary rights (discussed below) where if sub-processor has factually disappeared or ceased to exist in law or becomes insolvent, exporter shall have a right to terminate the sub-processing agreement and require sub-processor to erase or return PD	Same as C-P	N/A
I.	Subject rights	Direct obligation on importer to comply with subject’s right requests for access, correction, erasure, withdrawal of consent for direct marketing purposes, prohibition of automated decision-making	Notify exporter on receipt of a subject request and not respond unless authorised by the exporter, assist exporter to respond	Same as C-P	Parties shall assist each other to respond to subject’s requests

5. Third-party beneficiary rights: A cardinal principle underlying GDPR compliant cross-border transfer is enforceability of data subject rights and their access to legal remedies in the foreign jurisdiction. This is enabled through third-party beneficiary right mechanism, which simply means benefit to enforcement and compensation by a person who is not directly privy to the contract but is the ultimate beneficiary. Clause 3 of New SCC states that data subjects can directly enforce New SCCs, and lists those which cannot be enforced. These carved out clauses mostly pertain to inter se relationship between exporter and importer, or concerning interaction with data protection authorities. Under Old SCCs, data subject had to in first instance, initiate their claim against the exporter, and if that was not possible, then, the importer, followed by the sub-processor. Thus, the approach was staggered. Now, they can directly enforce against exporter, importer, or sub-processor. Specific to C-P and P-P scenarios, New SCCs state that if the data subject in exercise of their third-party beneficiary rights decides to lodge complaint with competent supervisory authority or refer the dispute to competent courts, importer has to accept such choice, without prejudice to their substantive and procedural rights to seek remedies in accordance with applicable laws. In order to determine the extent of liability for exporter and importer, New SCCs provide that each party is liable to the data subject for compensation for any kind of breach of New SCCs, and where more than one party is responsible, all are jointly and severally liable. In such situation, data subject can bring in claim against any of these parties. Upon adjudication, if a party is held liable and has to compensate, such party shall have a right to claim back from the others i.e., other contribute to the compensation.

6. Supervisory authority, governing law and disputes: Importer must submit to the jurisdiction of competent supervisory authority. This will be (i) where exporter is in EU, the responsible supervisory authority that has jurisdiction over exporter, (ii) if exporter is not in EU but must comply with GDPR due to long-arm provisions, and exporter has appointed a EU representative, supervisory authority of the member state where the representative is established, and (iii) if exporter is not in EU but must comply with GDPR and does not have a EU representative, then supervisory authority of one of the member states where subject is located. In terms of governing law, New SCCs provide that it must be one of the EU member state law which allows for third-party beneficiary rights. For disputes, adjudication shall be by courts of an EU member state, except where it is P-C, where parties can identify the competent courts located in any other jurisdiction as well.

Conclusion:

New SCCs tighten up loose-ends and also formalise some existing practices. Trust But Verify is the new norm for SCC based transfers. Many have observed New SCCs to bring in onerous and expensive requirements, and this demands parties to thoroughly strategize cross-border data flow, prepare for associated costs, and negotiate bearing in mind the core data processing principles under GDPR as well as existing & future state of applicable local laws. More often than not, data transfers enable infrastructure sharing and cost reduction, but the increased significance of having laws and legal redressal system that aligns with EU democratic principles has required revisiting of the cost-benefits analysis. Many attractive processing destinations may or may not have robust data protection laws or could have governments with unfettered powers to surveil and access PD for law enforcement, state security and national interest purposes. These are difficult situations to overcome for an importer, and to certain extent, beyond their reasonable control. For these jurisdictions, governments and regulators share an equal burden to revisit the existing laws, so as to create a conducive ecosystem for data flows from EU. It also increasingly indicates the need for independent national data protection authorities, developing adequate checks and balances in surveillance laws, and participating in talks for an international data transfer framework. Additionally, parties will need to carry out detailed inventory of existing data transfers, assess the need to change, evaluate the reasons for transfer, conduct TIAs, understand existing legal processes for discovery and surveillance, and implement appropriate technical measures for integrity of PD during transmission and at rest. All of these will take months, and it will be worthwhile to revisit how organisations and countries have fared at the end of December 2022. Nonetheless, transparency, constant flow of information inter se parties, repeated resilience checks and ongoing review for identifying the need to supplement existing technical and organisational measures are the way forward, which are likely to minimise liability, mitigate breach risks, and bring in more accountability.

Author acknowledge the initial research work done by Rishi Sehgal