Scope of the June 2021 SCCs

Since the new SCCs were published last June, there has been confusion around their scope of application and, in particular, whether or not they can be used if a data importer's processing activities are already subject to the GDPR.  This may be the case, for instance, when a data importer outside the EEA is caught by the extraterritorial provisions in Article 3(2) of the GDPR because it is offering goods or services to individuals in the EEA and processing their personal data in that context. 

The problem is that the European Commission's Decision implementing the new SCCs ('the Decision') states,in Recital 7, that the SCCs may be used only to the extent that the processing by the importer does not fall within the scope of the GDPR. The same position is repeated in Article 1 of the Decision, which confirms that the SCCs set out in the Annex of the Decision are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of the GDPR 'for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-) processor whose processing of the data is not subject to that Regulation (data importer') [emphasis added]².

Whether or not recitals are legally binding is debatable, but there is no question that a decision adopted by the European Commission and its constituting articles are legally binding in their entirety³.  It is also clear that the European Commission did not commit an error here, but that it deliberately decided to limit the new SCCs' scope of application. The reason for this decision remains to be explained by the European Commission. It is possible, however, that while drafting the new SCCs, the European Commission considered that if a data importer is required to process personal data in accordance with the GDPR, appropriate protection is already in place and no additional safeguards (under Chapter 5 of the GDPR) are needed.  This interpretation would be in line with the UK Information Commissioner's Office ('ICO')'s 'restricted transfer' approach, according to which a data transfer restricted by Chapter 5 GDPR only takes place where the importer's processing of the data is not subject to the GDPR⁴.  

During the drafting stage of the new SCCs, the EDPB and European Data Protection Supervisor ('EDPS') both recommended that the European Commission, for the avoidance of doubt, should clarify that the provisions in Article 1 are only intended to address the issue of the scope of the (draft) Decision and the (draft) SCCs themselves, and not the scope of the notion of transfers⁵. However, the European Commission did not follow that recommendation, leaving confusion as to whether or not data transfers to importers whose processing is subject to the GDPR require a transfer tool under Chapter 5 of the GDPR.      

New guidelines and SCCs for importers subject to Article 3(2)?

Recent minutes of the EDPB's plenary meeting seem to indicate that the EDPB and the European Commission plan to address this issue in the months to come, with a view to bringing legal certainty to the matter⁶. The EDPB is in the process of drafting guidelines on the interplay between Article 3 and Chapter 5 of the GDPR and emphasised in its minutes 'the importance of this work', while confirming that it had exchanged views on the notion of transfers, the relevant criteria to define this notion and examples to be included in the draft guidelines. The EDPB also recognised the importance of finalising the guidelines expeditiously. According to the same minutes, the European Commission confirmed its intention to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR as soon as the EDPB has adopted its draft guidelines. Considering the use restrictions that apply to the SCCs published in June 2021, it appears that the European Commission favours issuing another Decision that would create an additional set of SCCs (rather than amending the Decision adopted in June 2021). 

What might new SCCs look like?

Based on the limited information available at this point, it would not be unrealistic to assume that if the European Commission does decide to issue an additional set of SCCs, these SCCs would: 

• coexist with the current SCCs (adopted in June 2021). This means that there would be two different sets of SCCs, albeit for different data transfer scenarios;
• become the data transfer tool of choice for data importers outside of the EEA whose processing is in scope of Article 3(2) GDPR. This leaves the question how to address data transfers to importers outside of the EEA whose processing is in scope of the GDPR pursuant to Article 3(1) of GDPR; and
• be a 'light' version of the current SCCs, as several of the obligations in the current SCCs are already directly applicable to the relevant data importers as a result of Article 3(2) GDPR. It can be expected, however, that the European Commission will still want to emphasise third-party beneficiary rights for data subjects, the need to assess the potential impact of local laws and practices affecting compliance with the SCCs, as well as obligations on data importers around data access by public authorities.    

Wim Nauwelaerts Partner
[email protected]
Alston & Bird LLP

---

1. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (7 June 2021), available at: https://www.dataguidance.com/legal-research/commission-implementing-decision-eu-2021914-4
2. Ibid, p.35.
3.  See: https://ec.europa.eu/info/law/law-making-process/types-eu-law_en.
4. Although the ICO has been applying this approach for several years, in the recent consultation that it launched on the topic of international transfers under the UK GDPR, the ICO expressed its intention to move away from this position in the near future. See https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/, Consultation Paper and Questions, p.11. 
5. EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries, p.8, available at: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_en  
6. Available at: https://edpb.europa.eu/system/files/2021-10/20210914plenfinalminutes_54thplenary_public.pdf