New EU Standard Contractual Clauses in Force - How Companies should now correctly proceed when using US Cloud Services

On Friday, 04.06.2021, after a long wait, the EU Commission at last published the final version of the new EU Standard Contractual Clauses (hereinafter referred to as "SCCs"). Companies that have been unsure since July 2020, due to the ECJ's Schrems II ruling, whether they can use the services of US providers such as Amazon, Microsoft, Google, Salesforce & Co. in a legally compliant manner, can now base their decision on a new legal foundation. This article explains what you now have to do in this regard.

Here is a summary of the main points of this article:

• On 04.06.2021 the EU Commission published the new SCCs: a version on data transfer within the EU/EEA ("EU data transfer") and a version on third country transfer.
• The version for EU data transfer will, in future, be available as an alternative to conventional contracts for order processing pursuant to Article 28 GDPR.
• The version on third country transfer has a transition period of 18 months, so companies do not have to act immediately, but we believe they should due to the legal uncertainty that currently exists.
• The SCCs for third country transfer are modular. The user must, therefore, first legally classify the functions of the parties involved and then erase the inapplicable modules from the draft.
• Before using the SCCs for third country transfer, companies must carry out a so-called Data Transfer Impact Assessment, i.e. a documented risk assessment; a data transfer based on the SCCs may only take place after a positive evaluation.
• At the end of this article you will find detailed instructions on how to use the new SCCs for third country transfer.

1. Backdrop

According to the EU Commission, the US has an inadequate level of data protection, so every data transfer to US servers requires a special legal basis pursuant Article 44 et seqq. GDPR. Up until July 2020, EU companies had based this data transfer either on a) the adequacy decision on the EU-US Privacy Shield or b) the conclusion of the old SCCs. However, the European Court of Justice then declared the EU-US Privacy Shield to be invalid (ref. C-311/18) and placed additional requirements on the conclusion of the old SCCs, such as a review of the respective legal system (Data Transfer Impact Assessment), the conclusion of a supplementary agreement with increased control, information and legal remedy obligations of the US providers and/or the implementation of a complete encryption of the relevant data. Since then, there has been uncertainty as to which measures companies now have to take in order to be able to use the services of US providers in a legally-compliant manner. In this respect, a relaunch of the SCCs was eagerly awaited.

You can read the following articles we wrote again to find further background information on the events after the above ECJ judgment (Schrems II):

• ECJ Throws Out Privacy Shield Agreement but Confirms Standard Contractual Clauses
• Following the European Court of Justice Judgement regarding the Privacy Shield – Data Protection Authority Publishes Recommended Actions for Practice
• European Commission Publishes Updated (Draft of the) Standard Contractual Clauses
• German Supervisory Authorities to Monitor the Implementation of the "Schrems II Judgment"
• EU Data Protection Officer Initiates Proceedings against Institutions of the European Union for Using Amazon AWS and Microsoft Office

The new SCCs were published by the EU Commission on Friday, 04.06.2021. They can be used immediately. Below you will find an overview of these documents and a recommendation for action in practice.

2. SCCs for EU data traffic

There are now two versions of the new SCCs, one for EU data transfer (order processing) and one for third country transfer, i.e. with regard to the transfer of personal data to countries outside the EU/EEA. This section initially provides information on the SCCs for EU data transfer:

After the Danish supervisory authority had already drafted SCCs for order processing cases pursuant to Article 28 GDPR in 2019 as part of the consistency mechanism pursuant to Article 63 GDPR and in coordination with the European Data Protection Board (EDPB), the European Commission has now also presented its own SCCs for EU data transfer.
These clauses cover both the cases of Article 28(3) 4 GDPR and those of Article 29(3) 4 Regulation (EU) 2018/1725. The SCCs for EU data transfer are therefore on an equal footing with the data processing agreements currently used by companies, but can now also be used by institutions, bodies and other agencies of the European Union. Unlike the SCCs for third country transfer, however, these do not fulfill any guarantee function, nor are they mandatory for companies. Rather, the new SCCs for EU data transfer simply represent a template for a legally compliant contract for order processing that may or may not be used by companies.

Indeed, the SCCs now contain a tying clause (clause 5) for EU data transfer, so that it will be possible in future to simply include other companies as contractual partners (both controllers and processors) in the SCC. However, by their very nature, the SCCs on EU data transfer do not include provisions to protect the individual interests of their users. In this respect, the client of order processing regularly has an interest in structuring its own control rights with the data importer ("service provider") more individual basis and in specifying legal information obligations. In contrast, the contractor for order processing has a legitimate interest in structuring its support services as effortlessly and cost-effectively as possible and in making an independent decision on its technical and organizational measures. Experience has shown that, from the point of view of the respective contractual partner, a standard document does not take individual interests into account sufficiently, so the new SCCs for EU data transfer would only be suitable for very simple contractual arrangements.

3. SCCs for third country transfer

The SCCs for third country transfer are likely to be more important in the future. According to Article 46 GDPR, they will become the legal basis for the use of services from US and other providers with headquarters outside the EU/EEA, which is why we will go into more detail about their content below:

a) Overview

The new SCCs for third country transfer serve as the legal basis for the transfer to countries with an inadequate level of data protection. Indeed, there are still exceptions in Article 49 GDPR that could justify such a transfer, such as the individual consent of the data subject or a contractual requirement. However, the new SCCs for third country transfer will become the basis for creating an adequate level of data protection for providers in third countries in the future. A transition period of 18 months was set so that, theoretically, the old SCCs for third country transfer can still be used until then. However, this is not recommended, as the ECJ made it clear in the above judgment that the use of the old SCCs is not sufficient on its own for third countries with regulatory data transfer monitoring, rather, additional guarantees must be obtained, which, in turn, leads to legal uncertainty. In this respect, we believe that the new SCCs for third country transfer should be finalized without delay.

b) Tying clause

The tying clause contained in clause 7 — according to which new contractual partners can be included in existing SCCs at any time — is also a new feature of the SCCs for third country transfer. In this way, a client can take on another client as a joint controller, for example, in order to legally secure the existing order processing with the service provider. This offers flexibility in drafting contracts.

c) Modular structure

The modular structure of the SCCs for third country transfer is also new. There are now sections that apply depending on the specific arrangements, while other sections are to be removed. They are divided into four modules:

• client transfers to an independent company in a third country, e.g. in the context of joint controllers (controller to controller);
• client transfers to a service provider bound by instruction (controller to processor);
• service provider transfers to another (sub-)service provider (processor to processor);
• service provider transfers to a client in a third country, e.g. an EU call center collects data as a service provider and that data is transmitted to the client in the USA (processor to controller).

It is therefore necessary to first check which of the above configurations exist before designing the new SCCs for third country transfer.

d) Subcontractors

The commissioning of the service provider's subcontractors has also been regulated in a modular manner. For the most common case of the controller-processor relationship, however, the same principles apply as previously regulated in Article 28 II and IV GDPR - and therefore in all currently agreed contracts for order processing: The Client can decide in the contract whether it has to agree to every change for the commissioning of subcontractors by the service provider, or whether a general approval is declared so that the service provider merely has to declare the change, but the client still has the right to object. What is new, however, is that the service provider must agree with the subcontractor that the client will be entitled to direct return or cancellation claims, for example, in the event of the insolvency of the service provider (Clause 9 lit. e).

e) Local laws, clause 14

The provisions in clause 14 on local laws are also new. They deal directly with the new requirements of the ECJ, according to which every EU company has to carry out, inter alia, an individual risk assessment (Data Transfer Impact Assessment) before using third country providers with official data monitoring (e.g. USA or China). Clause 14 now provides the following obligations:

• Before the data transfer, the parties must check whether laws or practices in the third country may prevent the fulfillment of the obligations of the SCCs for third country transfer. A documented risk assessment therefore has to take place for each SCC.
• The special circumstances of the transfer must be taken into account in the risk assessment, e.g. the number of parties involved (subcontractors) as well as any forwarding of the data to third parties and the format of the data or the type of industry in question.
• When carrying out the risk assessment, special attention must also be paid to the respective applicable laws and practices of the third country, but also to the applicable restrictions and guarantees. It is, therefore, not enough to draw up a general preliminary risk assessment and apply it to different countries. On the other hand, the personal experiences of the parties can also be incorporated, such as the statement that the authorities in the third country have not exercised any control processes in the past. The last point is, however, partly the subject of objections in the literature, as the risk assessment can be misdirected by these subjective elements.
• Ultimately, all relevant contractual, technical or organizational guarantees that are implemented by the parties before the data is transmitted must be taken into account in the above risk assessment. We will discuss this in more detail in the next subsection.

All in all, it can be stated that companies must meet comprehensive auditing obligations under the new SCCs for third country transfer before using third country services. Here, it is not possible to create a blanket standard assessment for a number of similar cases, but rather the special circumstances of each individual case must be taken into account.

f) Additional guarantees

The risk assessment must take into account not only the special circumstances and relevant laws and practices, but also any additional guarantees.
Suitable, additional guarantees can be of a contractual, organizational and technical nature. However, technical measures are of particular importance. In accordance with the recommendations of the European Data Protection Board ("EDPB"), technical protective measures that prevent or render ineffective access to personal data by government agencies in third countries are the primary means of choice. Technical guarantees can be flanked by organizational and contractual measures in order to ensure overall effective protection of the transmitted data. The EDSA mentions encryption technologies in particular as a technical measure. The use of anonymization and/or pseudonymization techniques (if only the EU company is allowed to make the assignment) is specifically recommended by some German supervisory authorities, such as the state authority in Baden-Württemberg. The obligation to take into account additional guarantees for compliance with data protection in the recipient country therefore results in a specific need for action for both data exporters and data importers.

g) Access by public authorities, clause 15

New in the SCCs for third country transfer are also the requirements of the service provider in the event of access to data by the authorities. As a data importer, this regulation results in the following obligations:

Notification

The service provider is obligated to notify the client and, as far as possible, the person concerned immediately;

• if it receives a legally binding request from an authority of the country of destination to disclose personal data that is transmitted on the basis of the SCCs; or
• if it becomes aware that an authority in the country of destination has direct access to personal data that has been transferred pursuant to the SCCs for third country transfer.

If the service provider is prohibited by the laws of the country of destination from notifying the client and/or the data subject, the former is obligated to do its best to lift the prohibition on information. Insofar as is permissible under the laws of the country of destination, the service provider is also obligated to provide the client at regular intervals with as much information as possible about the requests received from authorities. In addition, according to clause 14 and clause 16, the service provider is obligated to inform the client immediately should it be unable to comply with the above obligations.

Verification of legality and data minimization

The service provider is obligated to check the legality of the official disclosure request and, if there is sufficient prospect of success, to appeal against the disclosure request (including measures of interim legal protection). It remains to be seen who has to bear the costs in this regard and whether it is possible for the service provider to negotiate (as was the rule up until now) that the client has to assume the costs of the (possibly exorbitant) legal remedies.

Documentation obligations

Finally, the service provider is obligated to comprehensively document compliance with the aforementioned obligations in order to be able to prove such at the request of the client.

4. Recommendations for action

The new SCCs, in particular those for third country transfer, create new possibilities for EU companies to use IT services from the US and other third countries that do not have an adequate level of data protection (e.g. China or India). How exactly should companies now proceed? We recommend the following:

a) First, check which services from providers from third countries you use today and create a list specifying the current legal basis according to Article 44 et seqq. GDPR. Include those services that are offered by US subsidiaries within the European Union ("EU Cloud"), because, in the opinion of the supervisory authorities, access can also take place here (at least with cloud providers) due to US laws (FISA, Cloud Act), which leads to a third country transfer.

b) Now carry out the Data Transfer Impact Assessment and document it. So identify the particular circumstances of the use, the applicable laws and, if relevant, practices at the headquarters of the service provider as well as any contractual, technical or organizational guarantees (e.g. the possibility of encryption) and then carry out a risk assessment in writing. If this results in utilization being possible under the specifications of the new SCCs for third country transfer and there is no reason to assume that the specifications cannot be met by the service provider, a corresponding draft contract can be drawn up.

c) Now use the respective contractual relationship to determine which module of the SCCs for third country transfer you require (usually IT service provider, therefore order processing: controller-to-processor). Use the template to create a version of the contract (please note: you may not change any clauses, if necessary, make additions, see clause 2, and use the individual information of the respective contractual relationship to complete Annex I (page 29). The US service provider's technical and organizational measures must be included in Annex II (page 32) and the subcontractors commissioned in Annex III (page 34). You will not normally have any of this information available to you (unless old SCCs are readily available), which is why Annex II and Annex III usually have to be completed by the US service provider.

d) Then send the completed, signed version of the SCCs for third country transfer (possibly without completed Annex II and III) to the service provider and ask for it to be checked, signed, completed and returned to you. Ideally, it will send them back to you, completed and signed.

Of course, we will gladly perform the above steps for you.

5. Outlook

You are correct if you noticed that the above procedure is no easier than the previous practice of concluding a supplementary agreement with the US providers after July 2020, including the new ECJ requirements. However, two things have changed here:

(1) with the conclusion of the new SCCs for third country transfer, you now have legal certainty for the first time (at least until these are also repealed by the ECJ in a few years, as US surveillance practice will probably not have changed by then); and

(2) the US providers will probably not (no longer) reject or sit out your request for the conclusion of the new SCC, because an official document from the EU Commission is now available for the first time, while the previous supplementary agreements were not pre-formulated by an official body.

Should you have any questions, please do not hesitate to contact one of the authors.