The European Commission (“EC“) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs“) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs“). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs.

Legal Context

The Ex-EU SCCs are a mechanism that companies can use to address the restrictions under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) on the cross-border transfer of personal data to third countries. The EC has adopted the Ex-EU SCCs under Art. 46(2)(c) GDPR to replace earlier versions of standard clauses adopted by the EC pursuant to the cross-border transfer restriction in the predecessor to GDPR, the 1995 EC Data Protection Directive (95/46/EC). In particular, the Ex-EU SCCs now replace the EC’s 2001/4 standard clauses for cross-border transfers to data controllers in third countries (“Old C2C Clauses“) and the EC’s 2010 standard clauses for cross-border transfers to data processors in third countries (“Old C2P Clauses“).

The Ex-EU SCCs arrive at a critical juncture in the regulation of cross-border data transfers. Last summer, in a ruling called “Schrems II,” the Court of Justice of the European Union invalidated the EC’s decision approving the EU-U.S. Privacy Shield Arrangement (“Privacy Shield“) as providing adequate protection for cross-border data transfers to the US. See the ConnectOnTech Resource Hub on Schrems II here. Negotiations are now aggressively underway between the United States Government (“USG“) and the EC for the development of an update to Privacy Shield to address Schrems II (“Privacy Shield 2.0“). In the meantime, the Ex-EU SCCs, which include language specifically aimed at addressing elements of the Schrems II ruling and related guidance from authorities, will play a central role in virtually all companies efforts to address cross-border data transfers under GDPR Art. 5.

The Intra-EU SCCs are a relatively new type of standard clauses. The EC has adopted the Intra-EU SCCs under Art. 28(7) GDPR to help data controllers to address the obligations to implement appropriate contractual clauses with data processors under Art. 28(3) and (4) GDPR.  The EC has clarified that controllers and processors may choose to negotiate their own contracts containing the compulsory elements in Art. 28(3) and (4) GDPR, or may use the Intra-EU SCCs to address these obligations.  Companies should monitor, however, whether the Intra-EU SCCs become a standard benchmark in negotiations about data processing agreements as they represent a somewhat “official” opinion on what a data processing agreement should look like under Art. 28 GDPR.  

Structure

The Ex-EU SCCs present a form of “choose your own adventure” structure as the EC sought to modernize the options for companies facing different types of cross-border data transfers. The four different options or modules are as follows:

  • Module 1: Controller to controller. This module generally could be used where a controller within the territorial scope of GDPR transfers personal data to a controller in a third country. This could include data transfers between and among affiliates in a group setting, or between customers and service providers where each act as data controllers.
  • Module 2: Controller to processor. This module generally could be used where a controller within the territorial scope of GDPR transfers personal data to a processor in a third country.  This could include data transfers between customers and service providers where the former is within the territorial scope of GDPR and acts as a controller, while the latter is in a third country and acts as a processor.
  • Module 3: Processor to processor. This module generally could be used where a processor within the territorial scope of GDPR transfers personal data to a processor (or sub-processor) in a third country. This module represents an innovation in standard clauses, as the old versions of standard clauses always assumed that the entity in the European Union acted as a controller. This module could be used to help address cloud and other multi-layered service provider arrangements where a processor is within the territorial scope of GDPR and a processor (or sub-processor) is in a third country.
  • Module 4: Processor to controller. This module generally could be used where a processor within the territorial scope of GDPR transfers personal data to a controller in a third country. This module also represents an innovation in standard clauses, as the old versions of standard clauses always assumed that the entity in the European Union acted as a controller. This module contains relatively fewer provisions that reflects the relatively lighter obligations that apply directly to processors under GDPR.  This module could be used to help address situations where a service provider, acting as a processor within the territorial scope of GDPR, delivers services to a controller in a third country.

Timing

Several key aspects of timing related to the Ex-EU SCCs are as follows:

  • The EC Decision on the Ex-EU SCCs enters into force on 27 June 2021 (20 days from publication in the Official Journal).
  • The Old C2C Clauses and Old C2P Clauses will be repealed as of 27 September 2021 (three months from date the EC Decision enters into force). As such, the Ex-EU SCCs will need to be used for any new data transfers of personal data to third countries as of 27 September 2021; and
  • For Old C2C Clauses and Old C2P Clauses concluded before 27 September 2021, these remain valid until 27 December 2022 so long as the processing and subject matter do not change and the existing clauses ensure appropriate safeguards are in place within the meaning of Schrems II and otherwise. Thus, as of 27 September 2021, it will not be possible to add new data categories or processing purposes to Old C2C Clauses or Old C2P Clauses. This applies in particular to umbrella-style intra-group data processing agreements.

In practice, this means there is just over:

  • Three (3) months to prepare for using the Ex EU SCCs for new agreements/transfers of personal data from the EU; and
  • Eighteen (18) months to replace any existing data transfer agreements based on the Old C2C Clauses or Old C2P Clauses with the Ex EU SCCs or other suitable arrangements.

Open Questions

It should be noted that the Ex-EU SCCs, while answering many questions, created new challenges for companies.  Among other issues, open questions include: (i) how to handle transfers to non-EU controllers subject to the GDPR according to Art. 3(2), (ii) why exporters and importers should not be able to limit their mutual liability as Clause 12(a) suggests and (iii) whether the transition period (see below) also applies to current Schrems II measures taken by companies. 

More to Come

Beyond this introductory note, we will be launching a series of blog posts and podcasts through www.ConnectOnTech.com and other outlets on the Ex-EU SCCs and related issues. Please stay connected with your Baker McKenzie team as we bring you updates on these important developments! 

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Joanna advises on a wide range of technology and commercial agreements and matters. Her practice focuses on regulatory issues, especially data protection, consumer law, and advertising and marketing, and she regularly advises clients on these areas in particular.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Dr. Maximilian Raschhofer has more than 10 years of experience in complex tech-related litigations. After graduating from the Law School of the University of Vienna in 2006 as the third best graduate, Maximilian acquired his doctoral degree in the area of data protection and hosting provider liability and acted as Vice Director for the European Center for E-Commerce and Internet Law from 2007 to 2010. From 2010 to 2018 he worked as Associate, Senior Associate and then Counsel at one of Austria’s biggest law firms where he handled complex tech-and health-related matters, in particular administrative (criminal) proceedings and litigations and finally gained valuable in-house experience at one of the largest Austrian insurance corporations, handling in particular GDPR compliance and complex regulatory matters.

Author

Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author

Radoslaw Nożykowski is a Counsel in the IP Tech/Compliance &Investigations departments at Baker McKenzie Warsaw office. He has over 15 years of professional experience working for clients from technology, finance, media and healthcare sectors. He is recommended by Chambers Europe and Legal 500 in the area of TMT (including privacy compliance).

Author

Yann has extensive experience in dealing with issues pertaining to internet law, data privacy protection, internet surveillance, cloud computing, whistle blowing. He has assisted numerous businesses with complex projects involving information technologies (big data compliance, ethics of algorithm, data governance, profiling, e-discovery procedures, etc.). Yann also advises on compliance disputes.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author

Raul Rubio joined Baker McKenzie as a partner in 2011, practicing in the area of information technology and communications. He has over 15 years’ experience, having worked for the Spanish office of a Big Four accounting firm prior to joining Baker McKenzie. Mr. Rubio is a frequent speaker at several universities, law schools and companies, and has given several lectures on topics related to his field. He has written numerous legal articles in business journals and magazines relating to intellectual property, audiovisual law and new technologies.

Author

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Author

Julia Wilson is a partner in Baker McKenzie's Employment & Compensation team in London. She advises senior legal and HR stakeholders on a range of employment and data protection matters.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.

Author

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.