New Standard Contractual Clauses for data importers outside the EAA but subject to the GDPR

The question

Are the EU’s Standard Contractual Clauses (SCCs) needed if a data importer is located outside the European Economic Area (EEA) and already directly subject to the EU General Data Protection Regulation (EU GDPR)?  In other words, where third party controllers and processors are based outside the EAA but subject to the GDPR, do you still need the SCCs to enable a lawful international transfer to them?

The key takeaway

Organisations engaged in the transfer of personal data to jurisdictions that are not considered to offer an adequate level of protection under the EU GDPR for that data should be aware that new SCCs are being developed for the scenario where the data importer is themselves subject to the GDPR.

The background

The EU’s revised and modernised SCCs, which were published by the European Commission on 27 June 2021 (Current SCCs) are a template set of terms and conditions that can be incorporated into contractual arrangements to facilitate compliance with international data transfer requirements under EU law. This is one way in which organisations that are subject to the EU GDPR can ensure that certain standards of data protection are adhered to when transferring personal data internationally to a “third country” outside of the EEA (meaning one that is not considered to offer an equivalent level of protection for personal data to that in the EU itself).

The Current SCCs consist of four modules, which should be incorporated into contracts between a data importer and a data exporter depending on the processing relationship in question. For example, Module 1 relates to controller-to-controller data transfers while Module 2 is applicable to controller-to-processor data transfers. The Current SCCs have also been used by the UK Government as the basis for UK-specific SCCs through the introduction of an Addendum to the Current SCCs. This means they can be adapted for use, in a UK law context, to comply with the restricted transfer requirements under UK data protection law.

The development

On 12 September 2024, the European Commission announced its intention to launch a public consultation on a proposed new module of the Current SCCs, which will cover international data transfers where both the data exporter and the data importer are subject to the EU GDPR (New SCCs). This scenario is not currently covered by the Current SCCs, and the European Commission has faced calls to address this gap.

These calls for a revised, specific set of SCCs that deal with this scenario were heightened following the decision by the Dutch DPA (DPA) to fine Uber €290 million for its failure to adequately protect the personal data of its drivers when transferring this data to its servers in the US (see Snapshots Autumn 2024 for further information on this decision). Significantly, the DPA rejected Uber’s argument that SCCs were not required even though Uber’s US entity was already subject to the EU GDPR as a joint controller of personal data that came within the scope of the legislation. This case exposed a clear gap in the Current SCCs, which the Commission has sought to address with the announcement of a public consultation over this proposal for New SCCs.

Drafts of the New SCCs have not yet been released; however, their publication is expected in advance of the launch of the public consultation. The public consultation is planned for the fourth quarter of 2024, and it is anticipated that the New SCCs will be adopted by the Commission in the second quarter of 2025.

Why is this important?

As drafts of the New SCCs have not yet been published, it remains to be seen what obligations they will impose on data exporters and importers. Similarly, any initial drafts published will be subject to change depending on the outcome of the consultation. However, the consultation does provide an opportunity for individuals and organisations with experience in this area to input into and shape the New SCCs.

Any practical tips?

In anticipation of the publication of the New SCCs, it would be prudent for organisations to review their international data transfer frameworks to identify which data importers are located outside the EAA and are directly subject to the GDPR. It is these relationships into which the New SCCs may need to be incorporated. This is a necessary step for determining which SCCs can be used, as the Current SCCs will remain applicable where the data importer is not subject to the GDPR.

Winter 2024