The New Standard Contractual Clauses for International Data Transfers
The European Commission adopted a new set of Standard Contractual Clauses for the transfer of personal data from the European Union (“EU”) / European Economic Area (“EEA”) to non-EU regions (“New SCCs”), which came into effect on 27 June 2021. The New SCCs have been promulgated to replace the SCCs adopted by the European Commission in 2001 (with amendments in 2004) and 2010 respectively under the then Data Protection Directive 95/46/EC (“Old SCCs”). Entities which have put in place the Old SCCs effecting cross-border data transfer are required to replace all contracts containing the Old SCCs by 27 December 2022.
The adoption of standard contractual clauses is one of the most widely recognised forms of safeguards which operates as an exception to the restrictions imposed over the transfer of personal data out of the EU/EEA under the General Data Protection Regulation (“GDPR”). Pursuant to Article 46 of the GDPR, cross-border transfer of personal data is permissible only if, in the absence of an EU adequacy decision (i.e. whereby the European Commission determines that the receiving regions or international organisations offer an adequate level of data protection under Article 45 of the GDPR) or any other recognised means of transfer under Chapter 5 of the GDPR to non-EU regions or international organisations, the transferor has provided appropriate safeguards (with enforceable data subjects’ rights and effective legal remedies available for data subjects).
The New SCCs have taken account of the GDPR requirements and the judgment handed down by the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18 (commonly known as the “Schrems II Judgment”).
Significance of the New SCCs
While the Old SCCs only cater for cross-border data transfers involving Controller-to-Controller (C2C) and Controller-to-Processor (C2P) transfers, the New SCCs cover further types of data transfers, namely, Processor-to-(Sub-) Processor (P2P), and Processor-to-Controller (P2C) transfers, on top of the two aforementioned categories of data transfers (i.e. C2C and C2P). Having incorporated the applicable clauses for each type of transfer with the corresponding requirements under the GDPR into a single set of ready-made template document, the New SCCs, in practice, also provide a great amount of detailed guidance so as to help entities to evaluate and adopt the appropriate clause(s) (e.g., in terms of the various data protection safeguards, etc.) for different situations of transfer when they draw up data transfer agreement(s). Further, an optional docking clause in the New SCCs (Clause 7 refers) allows for the addition of new entities to pre-existing data transfer agreement(s) (e.g., for intra-group data transfers where new group companies may be incorporated or acquired over time).
With the aforesaid enhanced clarity and flexibility, the New SCCs have also incorporated the essence of the Schrems II Judgment concerning data transfers outside the EU/EEA. In the Schrems II Judgment, the CJEU considered that whilst the Old SCCs remained in principle a valid transfer mechanism, the underlying transfer must be assessed on a “case-by-case” basis, in such a way that the level of protection guaranteed by the GDPR would not be undermined by looking into, inter alia, (i) the contractual clauses agreed between the parties; and (ii) the possibility of an access by public authorities of a non-EU region to the data transferred on the grounds of national security and more (including the relevant aspects of the legal system of that non-EU region). To this end, clauses formulated in response to the Schrems II Judgment have been incorporated in the New SCCs (Clauses 14 and 15 refer) by referring to the parties’ obligations in conducting transfer impact assessments and encountering (intended) access to the subject personal data by public authorities in the non-EU regions respectively.
Implications for Hong Kong Entities
The New SCCs are applicable in situations where a data exporter is subject to the GDPR but the data importer is not subject to the GDPR.
Unlike the Old SCCs which could only be used by data controllers established within the EU/EEA, the New SCCs may also be relied upon by data exporters which are not established in the EU/EEA, so long as their data processing activities fall under Article 3(2) of the GDPR. It follows that the New SCCs will be relevant to a Hong Kong entity if the GDPR obligations apply to it as an exporting party on an extra-territorial basis in instances where its data processing activities are related to the offering of goods or services to the data subjects in the EU/EEA, etc.
For Hong Kong entities which are not subject to the GDPR but engage in activities involving the import of personal data of data subjects in EU/EEA (e.g., as data processors), it is worth noting that by entering into a data transfer agreement consisting of the New SCCs, the data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with the New SCCs (Clause 13(b) refers).
While data exporters and data importers may continue to rely on their existing data transfer agreements entered into based on the Old SCCs until 27 December 2022 (provided that the processing operations being the subject matter of a contractual agreement remain unchanged and that the transfer of personal data is subject to appropriate safeguards), parties entering into new contracts are now required to adopt the New SCCs.
To enable local businesses and organisations to gain a better understanding of the New SCCs, the Privacy Commissioner hosted a webinar on 6 September 2021, during which the expert speakers had a fruitful discussion on the international transfer of personal data under the GDPR and how entities in Hong Kong might make use of the New SCCs in effecting such transfer in practice.
Entities that engage in cross-border data transfers involving the EU/EEA data subjects are also advised to pay heed to the New SCCs, in particular the parties’ obligations thereunder, and plan ahead for the proper arrangements of data transfer in good time.