Does your business need to comply with the General Data Protection Regulation (the GDPR) or sign contracts with businesses that need to comply with the GDPR? If so, then the new standard contractual clauses are relevant to you.
From the end of September 2021, you need to start using the updated standard contractual clauses for new overseas data transfers. By the end of 2022, you also need to have updated agreements for all your existing data transfers. With deadlines looming, it is important to understand what:
- standard contractual clauses are;
- has changed; and
- you need to do next.
This article will explain.
What are the Old Standard Contractual Clauses?
When the GDPR was introduced in May 2018, new requirements arose for the transfer of personal data outside of the European Economic Area (EEA) to countries with inadequate protections. Australia is considered an inadequate destination.
If you are transferring personal data to an inadequate destination, the requirements mandate that you must first put safeguards in place to protect the data to the same standard as the GDPR. One of the best ways to implement safeguards is by incorporating contractual obligations. For this reason, data exporters use the GDPR standard contractual clauses with data importers.
The clauses work well as a safeguard. This is because the European Commission prepared them with the express purpose of protecting overseas transfers of personal data. Accordingly, they set out what:
- a data exporter must do to export the data safely; and
- the data importer must do to safeguard it on receipt.
The drawback of using the old clauses was that they were created before the GDPR. Therefore, they did not contemplate all of the GDPR's specific requirements. The good news is that the new standard contractual clauses have been updated with the GDPR in mind.
How Have the Standard Contractual Clauses Changed?
One of the key changes to the standard contractual clauses is that while the previous version was prepared before the GDPR, the new version includes updates to better align the clauses with the GDPR. You can see the GDPR driven changes in three main ways. These are as follows:
1. Modules for Different Types of Transfers
Previously, the standard contractual clauses only applied to transfers that were either:
- EU-controller-to-overseas-processor; or
Whereas, the new clauses include modules for a range of different types of transfers, including:
- processor-to-processor; and
It has also been clarified that the parties do not have to be in the EU to use the clauses. This means that Australian-based businesses, which are subject to the GDPR, can use the clauses to safeguard transfers to inadequate third countries.
2. The Clauses Can Be Used as a Data Processing Agreement
The GDPR requires controllers and processors of personal data to have a contract or other legal act that binds the processor's processing of personal data on behalf of the controller. In addition, there are specific items that the GDPR requires parties to include in the contract. Typically, this is managed by way of a data processing agreement.
In addition to safeguarding overseas transfers, the new clauses work as a data processing agreement. This is because, unlike the old version, they include all the items which need to be put in place between a controller and processor for data processing. Accordingly, it is expected that the clauses will become the gold standard for data processing terms.
It is likely to be recommended to use the standard contractual clauses as a base for a data processing agreement. However, you can add commercial terms to the clauses. This is as long as they do not:
- contradict, directly or indirectly, the standard contractual clauses; or
- prejudice the fundamental rights and freedoms of the individuals the personal data relates to.
This means you can negotiate and document further commercial details and processes for your data processing and transfers. For example, you can agree on what a reasonable notice period is or how often you will perform security checks.
3. Extra Protections in Relation to Local Laws and Access by Public Authorities
In July 2020, the Court of Justice of the European Union handed down a judgement known as Schrems II. Schrems II invalidated the EU-US Privacy Shield on the basis that US surveillance laws meant that there were not sufficient safeguards in place for the transfer of personal data. While the case focused on the Privacy Shield, it also touched on the standard contractual clauses. Further, it noted that laws which conflict with the safeguards included in the clauses might undermine the protections they provide. Schrems II, therefore, introduced a requirement to perform a case-by-case assessment of each transfer to decide whether there are acceptable protections in place.
To address the concern over access by public authorities, such as law enforcement or national security bodies, and local laws in inadequate jurisdictions, the new standard contractual clauses include further directions and obligations concerning what is to be done in a situation.
Note, however, that the changes do not remove the need for a case-by-case assessment of the safeguards for each transfer.
What Do I Need to Do Next?
With the new standard contractual clauses ready for use and upcoming deadlines, now is the time to review your current data transfers and update your documentation in line with the latest clauses and the Schrems II case.
With a late September 2021 deadline, your priority should be updating your data processing agreement for future data transfers. Following this, you will also need to start considering how and when you will migrate your old agreements to the new clauses, noting the late 2022 deadline.
If your business needs to comply with the GDPR or signs contracts with businesses that need to comply with the GDPR, then you should be aware of the new standard contractual clauses. From late September 2021, you must start using the updated standard contractual clauses for new overseas data transfers. You will also need to have updated agreements for all your existing data transfers by the end of 2022.