Standard Contractual Clauses (SCCs)


Standard contractual clauses (SCCs) are a key way to ensure the lawful and secure transfer of personal data from within the European Economic Area (EEA) to "third countries" (non-EEA countries).

With the downfall of the Privacy Shield framework in July 2020, SCCs represent the most appropriate safeguard for most personal data transfers from the EEA to the United States.

In this article, we'll be explaining what SCCs are, why you might need them, and how to use them. We'll also be discussing some of the additional safeguards that you might need to implement following recent legal developments.

Understanding Standard Contractual Clauses

What are Standard Contractual Clauses?

SCCs are a legal mechanism set out in the EU General Data Protection Regulation (GDPR). SCCs can help businesses in EEA countries transfer personal data to other companies in third countries.

  • "EEA countries" means the 27 EU Member States, plus Norway, Iceland, and Lichtenstein. At the time of writing, this includes the United Kingdom (which is currently transitioning out of the EEA).
  • "Third countries" means all other countries.

The GDPR seeks to protect the personal data of data subjects (individual people) residing in the EEA. SCCs are a means of helping people in the EEA maintain their rights and control over their personal data even once it leaves the EEA.

Suppose a business collects a data subject's personal data and transfers it to another company in a country where the GDPR does not apply. In that case, the data subject risks losing the GDPR's protections over that data, including their ability to exercise their data subject rights.

With SCCs, the two businesses make the transfer subject to a legally-binding agreement containing clauses guaranteeing that the third-country recipient will protect the personal data.

There are three sets of SCCs. Here's an example of one of the SCCs from set 1 of the SCCs, Annex A, adopted in 2001:

EUR-Lex: Standard Contractual Clauses Annex A - Security and confidentiality section

This clause requires a third-country data controller receiving personal data to take security measures to protect the personal data. EEA data controllers are already required to do this under EU law.

Is it Always Necessary to Use Standard Contractual Clauses?

SCCs, or one of the alternative safeguards listed below, are required for "restricted transfers."

Here's a checklist to help you determine whether you're making a restricted transfer:

  • Do you intend to transfer personal data?
  • Is the intended recipient situated in a third country that does not have an adequacy decision (see below)?
  • Is the intended recipient another person or organization (i.e. someone outside of your own company, including a subsidiary)?

If the answer to all three questions is "yes," then you are making a restricted transfer and must apply one of the GDPR's safeguards, such as SCCs.

Standard Contractual Clauses Since August 2020

"Standard contractual clauses" will be an important mechanism for more business since the downfall of the EU-U.S.Privacy Shield framework. Many people see SCCs as the best solution for companies who were previously part of Privacy Shield.

What Happened to Privacy Shield?

The U.S. does not have an "adequacy decision." However, the Privacy Shield framework allowed EEA and U.S. businesses to freely transfer EEA data subjects' personal data.

The Privacy Shield scheme required participants to make specific commitments to protect EEA residents' personal data. The commitments made under the framework were supposed to deliver an "equivalent" level of protection as that provided by EU law.

Privacy Shield was recently considered in an important EU court case known as "Schrems II." The Court of Justice of the European Union (CJEU) decided that Privacy Shield does not represent a valid means of protecting EEA data subjects' personal data.

The main reason for the CJEU's decision was that the U.S. has blanket surveillance laws that allow its Government to access personal data. The Privacy Shield framework did not protect against this interference, and EU citizens had no legal protection against it.

The CJEU took particular issue with two U.S. laws, namely Section 702 of the Foreign Intelligence Surveillance Act (FISA 702, available here) and Executive Order 12333 (EO 12333, available here).

The Schrems II case immediately invalidated the Privacy Shield framework, and businesses using this scheme must now find another safeguard to facilitate transfers of personal data from the EEA to the U.S., such as SCCs.

Did the Schrems II Case Affect Standard Contractual Clauses?

The Schrems II case was, centrally, a challenge to the validity of SCCs. The CJEU concluded that SCCs remain a valid safeguard when making restricted transfers of personal data.

But while the CJEU did not invalidate SCCs, the Schrems II decision does reiterate that SCCs may not be a suitable safeguard in all circumstances, as has always been the case.

Following Schrems II, the European Data Protection Board (EDPB) requires EEA data controllers to assess the safeguards they have in place for transferring personal data to third countries.

You must assess the appropriateness of using SCCs on a case-by-case basis. We'll consider how you can do this below.

Using Standard Contractual Clauses

If you plan to make a restricted transfer, you'll need to create a contract between the two parties receiving and sending the data and insert the SCCs into the contract. This contract can be the Terms and Conditions agreement (also known as a Terms of Use or Terms of Service).

What are Data Importers and Data Exporters?

Either party involved in a restricted transfer can create a data transfer contract, but both parties must agree to it.

  • If you're an EEA company wishing to send personal data to a third party outside the EEA, you're the "data exporter."
  • If you're a non-EEA company wishing to receive personal data from inside the EEA, you're the "data importer."

Can We Change the Standard Contractual Clauses?

You cannot change the SCCs in any way. Whichever of the three sets you use must be fully present and unaltered in the contract covering the transfer.

You can add additional clauses, and indeed you may need to do so (as we'll see below), but these must not conflict with the SCCs.

Which Set of Standard Contractual Clauses Should We Use?

The European Commission provides three sets of SCCs. Two sets are for transfers between two data controllers. One set is for transfers between a data controller and a data processor.

Controller-Processor Transfers

If the data importer is a data processor, you'll need to use the SCCs for controller-processor transfers. The controller-processor SCCs were updated in 2018. The old set (from 2010) is no longer valid and you must not use it.

If you're engaging a data processor, whether or not they are based outside of the EEA, you'll need to create a Data Processing Agreement. If your data processor is based outside of the EEA, you can incorporate the SCCs into your Data Processing Agreement.

Controller-Controller Transfers

If the data transfer is between two data controllers, you can choose between the SCCs adopted in 2001, and the SCCs adopted in 2004.

The differences between these two sets of controller-controller SCCs are quite technical, and include:

  • Set 1 (2001):

    • The exporter is "jointly and severally liable" for the importer: if the data importer acts unlawfully with the personal data, the data subject can take action against the data exporter.
  • Set 2 (2004):

    • The parties are liable only for their own actions.
    • The data exporter must monitor the actions of the data importer.
    • The data exporter is liable if it does not take reasonable steps to check whether the data importer can fulfil its contractual and legal obligations (i.e. take "due diligence"). Due diligence may involve conducting an audit on the data importer's premises or requesting that the data importer has insurance.
    • The parties may agree to dispute arbitration.
    • The parties may agree to indemnify one another against losses.

Neither of these two sets of SCCs is "better," and neither provides a stronger level of data protection. We suggest that both parties read each set carefully and decide which is right in the context of your transfer.

Applying Additional Safeguards to Transfers to the U.S.

While the Schrems II decision did not invalidate SCCs, or change them in any way, it did reiterate that data controllers must assess whether SCCs provide adequate protection for their restricted transfers.

Such an assessment must be made regardless of which third country the data importer resides in. However, you should take particular care if you plan to make a restricted transfer to the United States.

Why Might Additional Safeguards Be Required?

SCCs are only valid insofar as they can ensure personal data is protected to a standard commensurate with the GDPR and the EU Charter of Fundamental Rights.

Some state surveillance is acceptable in this context. For example, where security services must apply for a warrant before demanding personal data from a business. Unfortunately, some U.S. surveillance laws do not meet this standard.

Therefore, these surveillance laws could be a problem if you plan to use SCCs to transfer personal data to certain U.S. companies. You'll need to consider whether you can apply additional safeguards to your restricted transfers to protect against state interference.

We're going to look at two interpretations of the Schrems II judgment that give some advice on how to do this.

European Centre for Digital Rights

The European Centre for Digital Rights (headed by the person who brought the Schrems II case, Max Schrems himself), has produced some guidance on what businesses should do if they wish to continue using SCCs to transfer EEA-originating personal data to the United States.

The guidance suggests that EEA businesses write to the U.S. companies with which they share personal data to ask if they fall under the two problematic surveillance laws that led to the invalidation of the Privacy Shield framework (FISA 702 and EO 12333).

The guidance also suggests writing to U.S. companies to ask what measures they take to prevent communications being wire-tapped by the NSA. It argues that the U.S. Government can break even very strong encryption.

Ultimately, the European Centre for Digital Rights argues that EEA companies will simply have to stop working with certain U.S. companies if they cannot lawfully guarantee to protect personal data.

Bear in mind that this is a strict interpretation of the Schrems II judgement, produced by the actual plaintiff in the case (whose primary complaint was with SCCs, not Privacy Shield).

International Association of Privacy Professionals

Some observers believe that the CJEU did not properly understand the U.S. surveillance laws' scope, which only allows the U.S. Government to obtain personal data from narrowly-defined "electronic communications providers."

Privacy Professionals, Marc Zwillinger, Mason Weisz, and Kandi Parsons argue that most U.S. companies will be able to deny U.S. Government orders made under FISA 702 and EO 12333.

They suggest that exporters apply strong encryption to personal data, and insert additional contractual clauses that compel the importer not to divulge the data to the U.S. Government.

This interpretation is much more liberal than the alternative, above, but would allow virtually all restricted transfers to the U.S. to continue with a few additional safeguards applied.

Do You Need to Contact Your Data Protection Authority?

The EDPB indicates in its guidance that EEA data exporters must work with their third-country importers to assess the privacy risks involved in their restricted transfers. We've provided two sets of guidance on carrying out this assessment above.

What happens if you conduct this assessment and conclude that you cannot adequately safeguard the privacy risks? Here's an excerpt from the guidance:

"If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA."

The EDPB appears to be saying that you may continue with a restricted transfer whether or not you have deemed it to be sufficiently secure, so long as you notify your Data Protection Authority.

Summary

  • SCCs may be appropriate if you are either:

    • An EEA data controller transferring personal data to another person or organization in a third country ("data exporter"), or
    • A third-country data controller or processor receiving personal data from an EEA data controller("data importer")
  • There is no need to use SCCs if the data importer is based in a third country covered by an adequacy agreement.
  • Where the exporter is a data controller and the importer is a data processor, they must use the controller-processor SCCs.
  • Where both the exporter and importer are data controllers, they can choose between one of two sets of SCCs.
  • You must not alter the SCCs in any way.
  • You should conduct an assessment to determine whether SCCs provide an adequate level of data protection for your restricted transfer.
  • You may need to add additional protections if you determine that SCCs cannot provide an adequate level of data protection.
  • If you conclude that SCCs cannot provide an adequate level of data protection, and you proceed with a restricted transfer despite this, you must inform your Data Protection Authority.