Organisations in Europe have been given 18 months to introduce data transfer agreements, known as standard contractual clauses (SCCs), to transfer data between Europe and other countries, including the US and potentially the UK.
The European Commission (EC) has published updated SCCs, which it says are designed to give greater legal certainty to European businesses that want to share data overseas.
In the UK, the Information Commissioner’s Office has announced plans to create a British version of the SCCs, following the UK’s departure from the European Union (EU).
Standard contractual clauses received new prominence in July 2020 when the European Court of Justice told regulators to “suspend or prohibit” data transfers to third countries where they could not meet data protection requirements.
Europe’s revised SCCs take into account a ruling by the European Court of Justice, which struck down the EU-US data transfer agreement, Privacy Shield, amid concerns that EU citizens lacked adequate redress to protect their data from US surveillance laws.
They also incorporate the requirements of the General Data Protection Regulation (GDPR), which replaced the 1995 Data Protection Directive in May 2018.
“With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers,” said the EC’s European commissioner for justice, Didier Reynders. “After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”
The updated SCCs include more robust protections to ensure that personal data transferred overseas is not disclosed to foreign governments and intelligence services.
The SCCs are modular, giving organisations the ability to tailor SCCs to specific circumstances, and they cover a wider range of data transfers than their predecessors.
For example, organisations that are subject to GDPR but are not located in the UK or the EU will be able to use the new SCCs to comply with data transfer restrictions under GDPR.
The SCCs have provisions that will assist companies that outsource data by allowing, for example, data processors to transfer data to sub-processors outside the EU.
Thomas Boué, director general for policy in Europe, the Middle East and Africa (EMEA) at trade organisation BSA, said SCC clauses were widely used. “Nearly 90% of companies transferring data out of the EU rely on SCCs to do so,” he said.
The SCCs allow companies to add greater supplementary safeguards, on a case-by-case basis, which gives organisations greater flexibility, he said. However, they also require companies to document their data transfers in more detail, adding to the cost and complexity of overseas data transfers.
Peter Church, Linklaters
Peter Church, a technology lawyer at Linklaters, said the obligation to assess the risk of data transfers on a case-by-case basis would make the SCCs difficult and expensive to implement.
For example, organisations are expected to assess the effect data importers laws would have on the privacy of personal data shared overseas.
“This is going to be a difficult and expensive exercise as some local law enforcement and national security laws are complex and obscure. It is not clear how small and medium-sized enterprises [SMEs] are going to be able to comply with this obligation in a meaningful way,” he said.
Church said the real question was how strictly businesses would comply with the new SCCs in practice.
“This is likely to increase the trend towards localisation – not transferring personal data outside the EU in the first place – but this is not always practical, particularly for large businesses operating on a global basis,” he said.
IT lawyer Dai Davis said the new SCCs were an improvement on the previous SCCs, but would be difficult to incorporate into business contracts between organisations.
“Their length and complexity makes them unusable in a commercial contract. The reality is that data protection forms a small part of every contract,” he said.
Davis said SCCs may be useful for giving organisations an idea of what best practice is, but in practice are irrelevant for most companies.
“Most companies have their own data protection schedule that will contain essential elements that go a long way to protecting data sharing in the contract,” he said.
Australian lawyer Max Schrems wrote on Twitter that, at first sight, SCCs would lead to more paperwork for companies, claiming the European Commission had just “kicked the can back down the road to companies, data protection authorities and the European Data Protection Board [EDPB]”.
Another legal decision from the European Court of Justice on the validity of data transfers was likely in the future, he said.
Davis, who agreed with Schrems, said SCCs do nothing to address the problem that countries such as the US, China and Russia have laws that allow state intelligence agencies to access the private data of overseas citizens.
“We are ignoring the fact that, in reality, SCCs cannot work, because it’s not within the power of the European Commission to change underlying US, Chinese or Russian law that is opaque about being able to scan anything coming into the country,” he said.
Bridge Treacy and David Dumont, partners at law firm Huton Andrews Kurth, said it was not yet clear whether European data protection regulators would agree that the SCCs were sufficient without companies introducing additional measures.
“It remains to be seen the extent to which the European Data Protection Board will consider the new SCCs to provide a sufficient level of protection, or whether regulators will require additional contractual, organisational, technical or other safeguards to be implemented,” they said in a written analysis.