The EU Commission is planning new Standard Contractual Clauses (SCCs) in the event that the data recipient in the third country i.e. the data importer is already subject to the General Data Protection Regulation (GDPR). High time, as the heavy fines imposed in recent months show.
Why are a further set of SCCs necessary?
SCCs are the most important transfer instrument for the transfer of personal data to third countries without an adequacy decision by the EU Commission. In 2021, a new version of the SCCs were adopted following the Schrems II judgment.
There are already four modules of standard contractual clauses that cover different transfer scenarios. Nevertheless, one central question has been discussed repeatedly since the SCCs were revised in 2021:
Are standard contractual clauses also required if a data importer is based outside the European Economic Area (EEA) but is directly subject to the General Data Protection Regulation pursuant to Art. 3 (2) GDPR? A good indication of whether a data importer is directly subject to the GDPR in terms of Art. 3 (2) GDPR is their appointment of an EU Representative in terms of Art. 27 GDPR.
Would this not lead to a duplication of obligations? On the other hand, how does one deal specifically with the risks associated with the data importer being located in a third country? These risks include
- potentially conflicting national laws,
- the access of the authorities in the third country and
- difficulties in enforcing and obtaining legal remedies against an entity outside the EU.
What many companies do not know: Recital 7 of the Implementing Decision on SCCs ((EU) 2021/914) states that SCCs may not be used for data importers that fall within the scope of the GDPR. This restriction makes the SCC unsuitable for situations where both the data exporter and the data importer are subject to the GDPR.
Development of the new SCC
The European Data Protection Board (EDPB) had already taken a clear position in its Guidelines 05/2021 (on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR). According to this, SCCs are also necessary if the data importer is subject to the GDPR, as they eliminate potential contradictions between foreign laws and EU regulations. The EDPB called on the EU Commission to draw up a further set of SCCs to close the gap.
Now, almost three years later, the EU Commission finally seems to be complying with this request to develop a special set of SCCs that take into account the constellation with Art. 3 (2) GDPR.
New SCCs for the transfer of data to controllers and processors in third countries subject to the GDPR are to be adopted by the second quarter of 2025. In addition, a public consultation on these clauses will be launched in the fourth quarter of 2024.
How important are further SCCs in practice?
So far, the debate on the lack of SCC has been characterised more by data protection and theoretical discussions.
However, the recent fine of 290 million euros against the mobility provider Uber in the Netherlands in particular also shows the practical relevance: In a complaint by the French data protection authority CNIL, concerns were raised that sensitive data of EU drivers was inadequately protected due to the lack of SCCs. Uber argued that no SCCs were required for data transfers to the USA, as Uber Technologies Inc. was already subject to the requirements of the GDPR in the USA. Uber also referred to the recitals of the 2021 SCC.
However, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) rejected this argument and emphasised that even data importers subject to GDPR obligations could be subject to foreign laws that conflict with EU standards, underlining the need for SCC in such scenarios.
Contents of the new SCC
Little or nothing is yet known about the content of the new SCC. A draft is not yet available.
Nevertheless, the new SCCs are likely to be more streamlined in terms of scope. The previous modules of the 2021 SCC are characterised in particular by the inclusion of many principles of the GDPR in the contract. This makes sense because they are aimed at data importers who are not subject to the GDPR.
The new SCCs can be kept shorter here and only deal with the special obligations for data importers from third countries that are directly subject to the GDPR.
The new SCCs should therefore help to ensure uniform compliance with the level of data protection and at the same time avoid unnecessary duplication of requirements that would burden companies.
Conclusion: legal certainty will hopefully come soon
The recent decisions by EU regulators to impose significant fines on companies that have not taken adequate safeguards when transferring personal data to third countries show that regulators are not shying away from rigorously enforcing compliance. Companies cannot rely on the legal uncertainty that has existed since the publication of the SCC 2021 to explain why they are transferring personal data to third countries without adequate safeguards in place.
Until the new SCC is published, organisations should carefully review their data transfers, implement appropriate safeguards either under the current version of the SCC or use other transfer mechanisms provided for by the GDPR and, if necessary, carry out a data protection impact assessment (DPIA) for the transfer.
To reiterate, when transferring to a third country, it is essential to implement SCC or other appropriate safeguards, even for organisations that are subject to the GDPR.
