Sch-rems II rulings have shaken up international data transfers. The Privacy Shield agreement with the US was declared invalid and now most companies have resorted to the so-called EU Standard Contractual Clauses (SCC). In a second ruling, however, the ECJ also commented on the SCCs and new SCC contract sets were put on the table, which now have to be transferred.
Karin Dietl has already pointed out in her article, the Schrems II rulings have shaken up international data transfers and led to general confusion regarding data protection compliance. With the Privacy Shield agreement with the U.S. declared invalid, most companies have resorted to the so-called EU Standard Contractual Clauses (SCCs). However, in a second ruling, the ECJ also commented on the SCCs, and they just barely got off lightly. This subsequently led to the EU revising the SCCs and adopting a new set of agreements. This means that all companies must now update their SCC to the new version.
International data transfer
When we talk about international data transfer, this refers to a data transfer to a country without an adequate level of protection, i.e. to a country with a worse level of data protection than the EU.
Schrems II decisions
As already stated in the introduction, the ECJ primarily dealt with the Privacy Shield and the data transfer to the USA. This data transfer mechanism was judged to be insufficient and is therefore no longer applicable. However, the ruling has implications for all international data transfers.
In another ruling, the ECJ also scrutinized the data transfer mechanism via SCC. The ECJ stated that contractual agreements – such as the SCC – cannot sufficiently prevent official access to the transferred personal data if the public law of the importing state excludes corresponding legal protection. In such a case, the contractual agreement only binds the parties under civil law, but not the destination country. The SCCs thus run into the void, since enforcement is in conflict with national law and thus the legal protection of the persons concerned cannot be guaranteed. The ECJ therefore stated that an additional examination and risk assessment is necessary in each case and, if the data exporter does not consider the legal protection to be sufficient, additional contractual and technical measures must be taken. The ECJ left open which additional measures these are, which has led to general confusion.
What is clear, however, is that SCCs cannot simply be signed unseen and without a closer look. As a result, individual data transfers will have to be examined individually, which means quite a bit of additional work for companies. It is also clear that these new requirements apply to all third countries and not just the USA.
- SCCs cannot be concluded blindly; an additional check will be necessary in the future.
- Schrems II decisions do not only apply to data transfers to the USA, but also have an impact on all data transfers to third countries.
Additional examination(Transfer Impact Assessment)
In the meantime, there seems to be at least a consensus among supervisory authorities that a risk-based approach is sufficient with regard to this additional check and the additional measures. The measures must therefore be in proportion to the corresponding data processing and set in relation to the risk of effective access by a third country.
It is necessary to know the company’s internal data flows (“Know your transfers“) and to carry out a Transfer Impact Assessment (TIA) based on this. Such a procedure of risk assessment and possible additional measures means a potentially large additional effort for a company. It is to be hoped that foreign IT providers will provide a general TIA for their standard applications in the future.
- As a first step, a company must obtain an overview of the international data flows (“Know your transfers”).
- Before SCC can be completed, a transfer impact assessment must be carried out.
- Depending on the data processing and the destination country, appropriate additional measures must be taken.
New EU standard data protection clauses
As if these additional requirements under Schrems II were not confusing enough, the EU Commission adopted a new set of SCCs in June 2021.
The new SCC have not only been renewed in terms of content and adapted to the GDPR and the new circumstances, they now also cover four different case constellations, which can be used alternatively or in parallel. The modules are differentiated according to transfer scenario:
- Module 1: Responsible party – responsible party
- Module 2: Responsible party – Processor
- Module 3: Processor – Processor
- Module 4: Processor – Responsible party
(The EU unfortunately does not provide nice individual versions but various consulting companies and law firms provide the modules individually in Word format and some even provide a generator).
Therefore, it must first be checked in each case which module(s) will be used. The SCC can be concluded individually or included in a comprehensive contract. However, it is only permissible to add clauses if these do not contradict the SCC or restrict the fundamental rights of the data subjects. The new SCC can also be concluded by several parties or one party can join a contract later. It is therefore possible to use the SCCs as part of a group-wide solution. The SCCs can also be used instead of an ADV.
From an EU perspective, the new SCCs must be used for new data processing from October 2021. Contracts with old SCCs must be replaced by the end of 2022 at the latest. However, if the data processing of an existing contract changes, this also triggers the obligation to use the new SCC. The transition period should therefore be taken with caution.
- The correct module must be used in each case and use should be made of the optional customization options.
- SCC may only be supplemented with stricter regulations but not weakened.
- For new contracts or contract adjustments, the new SCC must be used.
Final thought about the new SCCs
The new EU Standard Contractual Clauses (SCCs) do not exempt companies from an additional risk assessment and any additional measures. Although the new SCCs represent improvements, they only reduce the additional compliance effort for companies to a limited extent.