Technology & eCommerce Regulation in the Spotlight

The European Commission (EC) has announced the adoption of two sets of new Standard Contractual Clauses (SCCs) bringing the contractual data transfer mechanism in line with the General Data Protection Regulation (“GDPR”) and the ruling of the European Court of Justice (“ECJ“) on the “Schrems II” case (see our previous related report).

The first set of SCCs, which are similar what usually referred to as regular Data Protection Addendum (“DPA“), are meant to govern the contractual relations between controllers and processors located in the EEA per the requirements of articles 28(3)-(4) of the GDPR. Based on guidelines by the European Data Protection Board (“EDPB“), published in September 2020, the new SCCs under article 28 are not compulsory. In its guidelines the EDPB states that: “the controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses.”

The second set of SCCs were drafted to address transfers of personal data outside the EEA. Compared to the existing SCCs that only address the transfer scenarios of controller-controller, and controller-processor, the new SCCs combine general clauses with a modular approach that also address the data transfer scenarios of processor-processor and processor-controller. The new SCCs also recognize controllers and processors established outside the EEA as eligible data exporters.

As mentioned, the new form of the SCCs also incorporate provisions arising from the ECJ decision in Schrems II, requiring the parties to implement preventive measures to mitigate potential risks. Under these measures, the parties shall warrant that at the time of signing the SCCs, they have no reason to believe that the laws applicable to the data importer (the receiving party), including any disclosure requirements, prevent the data importer from complying with the SCCs. In giving this warranty the parties must consider (1) the circumstances of the transfer; (2) the laws and practices in the recipient third country; and (3) any supplementary measures implemented. Also, when receiving a request for disclosure from a public authority, the data importer should take specific steps, including notifying the data exporter of the request (where possible), providing the exporter with “aggregate information at regular intervals”, documenting the request and response, and challenging the request where there are reasonable grounds to consider it unlawful.

In addition to the above, the new SCCs also include a ‘Docking Clause’ (Article 7) that enables third parties to accede to the SCCs at any point in time without having to sign a separate agreement with each party. Furthermore, the new controller-processor and processor-processor SCCs include the wording required under articles 28(3)-(4) of the GDPR, replacing the need for entering into a separate DPA. The new SCCs can be incorporated into a broader commercial contract and additional clauses can be added provided these do not contradict the clauses or prejudice the rights of data subjects

The existing SCCs will stay in force for the next three months. After that period, organizations that want to use contractual clauses as their legal basis for new data transfers shall use the new form of the SCCs. For agreements that were already signed relying on the previous SCCs, organizations will have a grace period of 18 months to implement the new SCCs. It should be noted that even if a transfer made under the old SCCs is complete, the new SCCs must be executed if the data is still being used by the data importer.

While the new SCCs should result in more robust organizational and technical protections, they will require much more thought and background work on the part of data exporters and importers. Under the new SCCs, the parties must be able to demonstrate compliance with all provisions and the data exporter must warrant that he has used “reasonable efforts” to determine the data importer is able to comply with the new SCCs.

In terms of next steps, companies shall review their data transfer practices and develop operational procedures to ensure an ongoing compliance with the applicable regulatory requirements. Please feel free to contact us for assistance with such a review or if you have any other questions regarding the effect of the recent regulatory changes on your company’s data flows.

Kind regards,

Ariel Yosefi, Partner 
Head of Technology & eCommerce Regulation