EU Standard Contractual Clauses: Time to get stuck into remediation

In this article we focus on providing an overview of the Standard Contractual Clauses (SCC’s) and some key areas companies need to think about when identifying and remediating existing contracts.

Most companies rely on the SCC’s in order to make these transfers compliant, specifically where they are transferring personal data from the European Union to recipients outside the European Union. The reason they rely on the SCC’s is that almost all companies transfer personal data across borders i.e. they might transfer personal data to a supplier based in the US, to Corporate HQ in Australia or to a shared service centre in India, whether to suppliers, or to other entities within their group structure or to shared service centres.

In 2020, the Court of Justice of the European Union (CJEU) issued a decision which had a significant impact on the way in which companies transfer personal data across borders (‘Schrems II’). The decision means that businesses are now required to undertake Country Assessments and Transfer Risk Assessments before transferring data from the EU and UK to countries which are not deemed ‘Adequate’.

Separately, in June 2021 the European Commission updated the SCCs. Businesses are required to use the new versions of the SCCs for new contracts from 27th September 2021. The UK is yet to finalise its updated versions of the SCCs, but they are anticipated shortly.

As a result, businesses have until December 2022 to remediate all existing contracts which use the old versions of the SCCs where those agreements involve cross-border transfers of personal data.

Over the summer this year, we therefore saw many businesses stand up Phase 1 of their SCC projects: ensuring that they had processes in place to execute new SCCs for new transfers, and ensuring that there were procedures in place for conducting Transfer Impact Assessments in line with Schrems II. These projects often included the following pillars in relation to SCC remediation:

Incorporate the new SCCs into the process for new contracts and renewals of existing contracts (for EU transfers only: Continue to use old versions for UK transfers until the UK updates are finalised). As part of your due diligence process ensure that cross border data transfers are identified (and a Transfer Risk Assessment completed).

Understand which contracts use the old SCCs. Once this picture is obtained prioritise the contracts into tranches depending on the criticality and sensitivity of the data processing. Understand gaps in coverage: that is, identify those transfers which ought to have had SCCs in place, but did not.

Identify who your ‘big tech’ vendors are (e.g. Microsoft, AWS) and ascertain if they are taking any proactive approach to Scherms II and SCC implementation.

This will require an understanding of whether Supplementary Measures are required, subsequent to the completion of the Transfer Risk Assessment. It will also require mapping back to the schedules in the old SCC’s and pulling through details as to data subject etc.

It is critical that businesses understand the substantive requirements of the SCCs, and can make the necessary operational/commercial changes. For instance, can the express breach reporting requirements for non-EEA controllers be operationalised?

Consider adding provisions to help ‘future-proof’ the SCCs and to support them to work effectively. For instance, organisations may layer provisions that allow for the addition and deletion of parties (helpful in an intra-group context), and additional measures to address Schrems II.

< Back

< Back
[+] Read More

However, businesses are now turning towards Phase 2 of their SCCs projects; remediating their existing or legacy SCCs by December 2022.

Although organisations will vary in their approach, there are a number of key elements which will feature on any SCC remediation project, including the following:

Identifying current use of the SCCs

Contracts containing the old SCCs need to be identified and located. Some organisations may have already completed this step, with many using technology in order to identify the SCC provision in their contract databases. Some organisations may have also undertaken an assessment to identify which of the versions (or ‘modules’) of the new SCCs they need to implement, depending on the roles of the parties. At this point, it may make sense to take the opportunity to validate the information contained in the schedules of the current SCCs (for instance, the types of personal data covered by the SCCs, and the security measures in place to protect the data).

Understanding gaps in coverage

In addition to identifying current use of SCCs, it is important that organisations identify the gaps; that is, those transfers which ought to have had SCCs in place, but did not. In terms of prioritising remediation activity, these transfers might be high up the list, in terms of risk.

Considering the broader contractual framework

There’s an oft-repeated phrase in relation to SCCs: "You can't amend the model clauses!" However, you can layer onto the SCC’s provisions to help ‘future-proof’ them and to support them to work effectively in the context of your organisation. For instance, organisations may layer on provisions that support the addition and deletion of parties, and additional measures to address Schrems II (or other developments).

The caveat is that the additional provisions must not undermine the protection of data, the rights of the Data Protection Authorities or Data Subjects.

Building in the UK position

The new EU SCCs are not valid SCCs for making transfers from the UK. The UK ICO has published draft UK SCCs during the course of 2021, and this should be factored into the project planning.

Prioritising and phasing execution of the new SCCs

Carefully prioritise the transfers that should be transitioned, considering the renewal dates of existing contracts.

For our clients we evaluate what technology and accelerators can add efficiency and deliver value both during and after the remediation has been completed so there is onward value creation:  

For some organisations the above will be straightforward. For others, both SCC remediation as well as Schrems II assessments will be complex and time-consuming. PwC’s data protection team members include privacy lawyers, operational specialists, legal tech experts and project managers. We can deploy a multi-disciplinary team to run your SCC project, using technology and delivery centres to ensure we balance quality with cost considerations.

Reach out to Chris or Jenny or any of the team if you’d like to discuss further.

Follow us