On June 4, 2021, the European Commission (the “EC”) abolished the old Standard Contractual Clauses (the “Old SCCs”) and published a new more flexible set of clauses (the “New SCCs”) for companies that wish to export personal data from the EU to elsewhere to rely on (for more information, see here and here).
For any agreements signed on or after September 27, 2021, companies can only rely on the New SCCs. For agreements signed before September 27, 2021 that incorporated the Old SCCs, the EC allowed companies to continue relying on this old form until December 27, 2022. From this date, all agreements will need to be updated to replace the Old SCCs with the New SCCs.
Who does this impact?
The deadline will impact any companies that export personal data from the EU to third countries and have not yet updated their contracts with the New SCCs. The main obligation to implement a data export mechanism lies with the data exporter.
What steps should companies take?
1. Identify agreements that are impacted
As a first step, data exporters should carry out a review of existing agreements to identify those involving a restricted data transfer from the EU to third countries, but that still contain the Old SCCs or no model clauses at all. Transfers to countries that are subject to an adequacy decision by the EC are out of scope.
2. Update SCC section of these agreements
Once the relevant agreements have been identified, data exporters need to do the following:
- Identify the applicable module of the New SCCs — Companies should identify the data processing roles of the parties to the agreements in order to identify which module of the New SCCs is applicable to their transfer. Depending on the specific scenario, one out of four available modules will apply: Module 1 governs transfers between data controllers; Module 2 applies to transfers from a data controller to a data processor; Module 3 is relevant to transfers between data processors; and Module 4 concerns transfers from a data processor to a data controller.
- Incorporate the New SCCs and update the appendices — Each module of the New SCCs has appendices that need to be completed. These are similar, but not identical to, the appendices of the Old SCCs. For example, Module 1 (governing transfers between data controllers) now requires the importing controller to specify the security measures they have in place to protect the received personal data.
- Roll out contract update — As a next step, companies should identify the most appropriate means of rolling out the update. In practice, this will depend on whether the current agreement allows a contracting party to unilaterally update its terms if a change is legally required. Often, a data processing agreement will contain wording to this extent. In that case, any party that has been given the right to update the agreement unilaterally can send out a contract update that does not need countersigning.
If the agreements do not contain unilateral rights to vary the contract, the assessment as to whether a countersignature is required will depend on the laws applicable to the agreement. Usually, changes to an existing contract must be agreed to in writing by both contract parties. In practice, many companies consider this approach too burdensome and opt to send out a simple notice to all contracting parties without requiring countersignature, but this can, of course, pose issues from a contractual enforceability viewpoint. Some laws will allow companies to send a contract update that will be considered “accepted” if the other side then takes positive steps to continue the relationship without any challenge to the new terms. If counterparty consent is required, the process can be streamlined through an update email containing an easy mechanism to agree to the change (e.g., button, link to DocuSign, etc.).
3. Align data protection practices with New SCCs
If they have not done so already, companies importing personal data from the EU should align their data protection practices to the obligations set out for them in the New SCCs to ensure compliance.
When companies roll out their contract updates, they should keep in mind that the deadline takes place during the holiday season. Depending on whether companies require the updated agreement to be fully executed, this may affect the rollout.
Companies should expect to receive last-minute requests and notices from their counterparties to update agreements now that the deadline is approaching. While these updates are not principally the importers’ responsibility, some importers may nevertheless choose to initiate the update process. For example, service providers processing personal data in third countries, such as the US, may want to assist their EU customers by proactively updating their data processing terms.
Can we include the UK export mechanism in our contract update?
Yes. The New SCCs only govern transfers originating in the EU. For transfers from the UK, parties can rely on the International Data Transfer Agreement (the “UK IDTA”), which entered into force on March 21, 2022, along with an addendum to the New SCCs (the “UK Addendum”) which can be used if companies export data from both the EU and the UK (for more information, see here). Companies must include the UK IDTA in all agreements signed on or after September 21, 2022, and have until March 21, 2024 to update existing agreements. However, it may be more efficient to incorporate the UK Addendum alongside the New SCCs.