New European Standard Contractual Clauses: New privacy considerations and what they mean for Canadian businesses

On June 4, 2021, the European Commission issued an updated version of its Standard Contractual Clauses (the new SCCs), marking the first update since the coming into force of the General Data Protection Regulation. This update outlines some of the main changes, and what this means from a Canadian perspective. 

The new SCCs replace the sets of SCCs that were previously adopted in 2010 (the old SCCs).

What are the Standard Contractual Clauses?

The SCCs are contractual clauses endorsed by the European Commission as an adequate transfer mechanism. Unless a country is granted an adequacy status by the EU, organizations wanting to share data outside of the EU need a valid transfer mechanism. 

The SCCs are generally presented as an appendix to a Data Processing Agreement (DPA).

What has changed?

The new SCCs cover four types of possible arrangements between data controllers and processors and organizes them in modules. The controller is generally the owner of the data and decides the purpose of the data processing. The processor can be a service provider that is contracted to process the data on behalf of the controller. 

• Module 1 – Controller to controller
• Module 2 – Controller to processor 
• Module 3 – Processor to processor 
• Module 4 – Processor to controller

Modules 1 and 2 were already covered under the old SCCs, while modules 3 and 4 are new additions. This use of modules creates more complete SCCs that allow for a broader variety of scenarios. 

Among the changes, we note the following key modifications:  

• SCCs as a standalone DPA: If falling under a module 2 arrangement, the SCCs are now drafted to be a standalone DPA, which eliminates the need for another data-sharing agreement introducing the SCCs. 
• Sub-processors: Module 3 fills a previous need to account for sub-processing contracts, where the transfer of data outside of the EU is not made by the controller itself, but by a first processor who wishes to use another processor.
• Multi-party agreements: The new optional clause 7 makes it possible for a third party to join an existing SCC without needing to sign a separate contract. 
• Ensuring EU level of compliance abroad: Clauses 14 and 15 impose an obligation to conduct a transfer impact assessment and specific requirements on how to handle government requests for data access under the country of destination’s local laws. 

What does this mean for Canadian organizations? 

Canada has maintained an adequacy status with the EU since 2001 for data subjects falling under the Personal Information Protection and Electronic Documents Act (PIPEDA). Under this adequacy status, personal data can flow freely from the EU to Canada without needing additional safeguards. This means a Canadian organization, if covered by PIPEDA, need not enter into the SCCs when entering into a DPA with a European organization. 

The SCCs would, however, be required if the Canadian processor is located in Alberta, British Columbia or Quebec, if the data transferred pertains to employees that are not covered by PIPEDA, or if a Canadian processor opts to use a foreign non-Canadian sub-processor when providing services to a European controller.

EU organizations may also insist on implementing the SCCs for all data-sharing contracts regardless of adequacy status of the receiving country for added protection. This is due in part to the adequacy status of the United States, named Privacy Shield, becoming invalid in 2020 through the Schrems II decision.  

As such, Canadian organizations should not ignore the new SCCs based on Canada’s adequacy status alone. Organizations should read the new SCCs closely, and assess any technical or administrative gaps within the organization that currently impede full compliance with the requirements listed in the SCCs. They may also want to be ready with updated contracts, policies and protocols, as necessary.

Important dates to keep in mind

• The new SCCs took effect on June 27, 2021. As of this date, organizations were free to use either the old or the new SCCs as a valid transfer mechanism.
• Starting on September 27, 2021, only the new SCCs will be available to organizations wishing to enter into a DPA. Prior to this date, organizations should prepare a template DPA reflecting the changes in the new SCCs.
• Existing contracts must be updated by December 27, 2022, to include the new SCCs. This represents a 15-month grace period during which old SCCs are still an acceptable transfer mechanism, if they were agreed to before the September deadline. Before this date, organizations should inventory existing agreements relying on the old SCCs and negotiate with other parties to have them updated to account for the new SCCs.