European Commission releases new Standard Contractual Clauses for data transfers outside Europe

The European Commission recently released a new set of Standard Contractual Clauses for the transfer of personal data from controllers or processors in Europe (or who are otherwise subject to the GDPR) to controllers or processors established outside Europe (and who are not subject to the GDPR). Special Counsel Nicholas Blackmore discusses the new Standard Contractual Clauses, and when businesses need to start using them.

Under the EU General Data Protection Regulation 2016/679 (the “GDPR”), organisations are prohibited from transferring personal data outside the European Economic Area (the “EEA”) unless an exception applies.

The most popular option to permit the transfer of personal data outside the EEA is for the parties to enter into a set of standard clauses (called the “Standard Contractual Clauses”) which are pre-approved by the European Commission as providing “appropriate safeguards” for the personal data while it is outside the EEA. Broadly speaking, the Standard Contractual Clauses require the recipient to provide the personal data with most of the same protections required by European law.

The old and new Standard Contractual Clauses

The Standard Contractual Clauses were originally approved by the European Commission under the predecessor to the GDPR, the EU Data Protection Directive 95/46/EC (the “Directive”). The Standard Contractual Clauses were not updated when the GDPR was introduced in 2018, and the European Commission ruled that they would continue to be considered to provide appropriate safeguards under the GDPR.

On 4 June 2021, the European Commission issued new Standard Contractual Clauses that are updated and drafted specifically to reflect the requirements of the GDPR.

Transition arrangements and key dates

The European Commission has put in place the following transitional arrangements for the new Standard Contractual Clauses:

  • Contracts signed before 27 September 2021 can continue to use the old Standard Contractual Clauses until 27 December 2022. Those clauses will still be deemed to provide “appropriate safeguards” for the purposes of the GDPR until that date.
  • From 28 December 2022, the old Standard Contractual Clauses will no longer be deemed to provide “appropriate safeguards” for the purposes of the GDPR, and as such all contracts that use them will need to be amended or replaced to use the new Standard Contractual Clauses.
  • Contracts signed after 27 September 2021 will need to use the new Standard Contractual Clauses in order to be effective.


We recommend that any new contracts adopt the new Standard Contractual Clauses, even if signed before 27 September 2021. This will avoid the need for amendments at the end of 2022.

Features of the new Standard Contractual Clauses

The new Standard Contractual Clauses are a single set of clauses which contain four modules, which cover when personal data is being transferred from: (1) a controller to another controller, (2) from a controller to a processor, (3) from a processor to sub-processor, or (4) from a processor to a controller. This makes the new Standard Contractual Clauses significantly longer than the old ones: the English version is 20 pages. However, it removes the need for the parties to choose which version of the Standard Contractual Clauses they want to use.

As with the old Standard Contractual Clauses, the parties must not modify the new Standard Contractual Clauses when using them, other than to complete the details where indicated. However, the Standard Contractual Clauses may be included as part of, or incorporated by reference into, a larger contract such as a services agreement.

In terms of content, the new Standard Contractual Clauses still require the recipient to provide the personal data with most of the same protections required under the GDPR, but should be simpler to use and understand because they more closely reflect the requirements of the GDPR. The old Standard Contractual Clauses were drafted to reflect the Directive, and so there was some ambiguity about the effect of some of the clauses when used under the GDPR.

Controller to processor agreements

An important area in which the new Standard Contractual Clauses will simplify compliance with the GDPR is in relation to transfers from a controller based in the EEA to a processor outside the EEA.

Under article 28 of the GDPR, a controller is required to include a series of specific provisions in its contract with a processor. If the processor is outside the EEA, the controller will often need to also include the Standard Contractual Clauses in that contract. But the old Standard Contractual Clauses did not include the clauses required by article 28, because the old Standard Contractual Clauses were intended for use with the Directive.

As such, data processing agreements were often required to contain two sets of data protection clauses: those required by article 28 and the Standard Contractual Clauses. The new Standard Contractual Clauses will simplify this considerably, by including all of the requirements of article 28 in the controller-to-processor module.

What about the UK?

The adoption of the new Standard Contractual Clauses by the EU From 27 September 2021 will mean that the Standard Contractual Clauses under the GDPR and the Standard Contractual Clauses under the UK GDPR will diverge for the first time.

The new Standard Contractual Clauses were approved by the EC after the end of the Brexit transition period. As such, they are not considered to provide appropriate safeguards for data transfers outside the UK under the UK GDPR.

UK businesses can continue to use the old Standard Contractual Clauses, and can amend those clauses as necessary to suit the UK. The UK Information Commissioner’s Office has a set of UK-amended Standard Contractual Clauses here.

The UK Information Commissioner’s Office is proposing to publish new UK-specific Standard Contractual Clauses in 2021.

This divergence will effect businesses with a presence in both the EU and the UK, who may have been relying on the same clauses to export personal data from both jurisdictions. They will now need a separate set of Standard Contractual Clauses for each jurisdiction.

Conclusion

The new Standard Contractual Clauses are a much-anticipated development that should simplify the compliance around the GDPR, particularly in relation to transfers from a controller based in the EEA to a processor outside the EEA.

However, businesses should be aware of two key dates under the transition arrangements:

  • contracts signed after 27 September 2021 will need to use the new Standard Contractual Clauses; and
  • all contracts which use the old Standard Contractual Clauses will need to be amended or replaced to use the new Standard Contractual Clauses by 28 December 2022.


UK businesses should not use the new EU Standard Contractual Clauses for data transfers outside the UK, as they are not considered to provide appropriate safeguards under the UK GDPR. They should continue to use the UK-amended Standard Contractual Clauses that are available.

Read other items in Commercial Brief - July 2021

Read other items in Australian Insurance Brief - July 2021

Locations