EU: Are additional SCCs for international data transfers on the horizon?
On 4 June 2021, the European Commission introduced updated Standard Contractual Clauses ('SCCs') for the transfer of personal data to third countries (i.e. countries outside the European Economic Area ('EEA')) pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1. The previous SCCs pre-dated the GDPR and required an overhaul to better reflect today's data transfer realities. At the same time, the European Commission also wanted to address (some of) the concerns raised by the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), by adding data protection safeguards to the SCCs. The previous SCCs were repealed on 27 September 2021, leaving the June 2021 SCCs as the only SCCs that controllers and processors can currently enter into in order to transfer personal data to non-adequate countries outside of the EEA and comply with the data transfer rules in Chapter 5 of the GDPR. Recently, the European Data Protection Board ('EDPB') has indicated the new and separate SCCs for international data transfers may be on the horizon. Wim Nauwelaerts, Partner at Alston & Bird LLP, discusses the prospect of additional SCCs and how these might fit into the already complex EU data transfers landscape, while clarifying the scope of the June 2021 SCCs.
Scope of the June 2021 SCCs
Since the new SCCs were published last June, there has been confusion around their scope of application and, in particular, whether or not they can be used if a data importer's processing activities are already subject to the GDPR. This may be the case, for instance, when a data importer outside the EEA is caught by the extraterritorial provisions in Article 3(2) of the GDPR because it is offering goods or services to individuals in the EEA and processing their personal data in that context.
The problem is that the European Commission's Decision implementing the new SCCs ('the Decision') states,in Recital 7, that the SCCs may be used only to the extent that the processing by the importer does not fall within the scope of the GDPR. The same position is repeated in Article 1 of the Decision, which confirms that the SCCs set out in the Annex of the Decision are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of the GDPR 'for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-) processor whose processing of the data is not subject to that Regulation (data importer') [emphasis added]2.
Whether or not recitals are legally binding is debatable, but there is no question that a decision adopted by the European Commission and its constituting articles are legally binding in their entirety3. It is also clear that the European Commission did not commit an error here, but that it deliberately decided to limit the new SCCs' scope of application. The reason for this decision remains to be explained by the European Commission. It is possible, however, that while drafting the new SCCs, the European Commission considered that if a data importer is required to process personal data in accordance with the GDPR, appropriate protection is already in place and no additional safeguards (under Chapter 5 of the GDPR) are needed. This interpretation would be in line with the UK Information Commissioner's Office ('ICO')'s 'restricted transfer' approach, according to which a data transfer restricted by Chapter 5 GDPR only takes place where the importer's processing of the data is not subject to the GDPR4.
During the drafting stage of the new SCCs, the EDPB and European Data Protection Supervisor ('EDPS') both recommended that the European Commission, for the avoidance of doubt, should clarify that the provisions in Article 1 are only intended to address the issue of the scope of the (draft) Decision and the (draft) SCCs themselves, and not the scope of the notion of transfers5. However, the European Commission did not follow that recommendation, leaving confusion as to whether or not data transfers to importers whose processing is subject to the GDPR require a transfer tool under Chapter 5 of the GDPR.
New guidelines and SCCs for importers subject to Article 3(2)?
Recent minutes of the EDPB's plenary meeting seem to indicate that the EDPB and the European Commission plan to address this issue in the months to come, with a view to bringing legal certainty to the matter6. The EDPB is in the process of drafting guidelines on the interplay between Article 3 and Chapter 5 of the GDPR and emphasised in its minutes 'the importance of this work', while confirming that it had exchanged views on the notion of transfers, the relevant criteria to define this notion and examples to be included in the draft guidelines. The EDPB also recognised the importance of finalising the guidelines expeditiously. According to the same minutes, the European Commission confirmed its intention to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR as soon as the EDPB has adopted its draft guidelines. Considering the use restrictions that apply to the SCCs published in June 2021, it appears that the European Commission favours issuing another Decision that would create an additional set of SCCs (rather than amending the Decision adopted in June 2021).
What might new SCCs look like?
Based on the limited information available at this point, it would not be unrealistic to assume that if the European Commission does decide to issue an additional set of SCCs, these SCCs would:
- coexist with the current SCCs (adopted in June 2021). This means that there would be two different sets of SCCs, albeit for different data transfer scenarios;
- become the data transfer tool of choice for data importers outside of the EEA whose processing is in scope of Article 3(2) GDPR. This leaves the question how to address data transfers to importers outside of the EEA whose processing is in scope of the GDPR pursuant to Article 3(1) of GDPR; and
- be a 'light' version of the current SCCs, as several of the obligations in the current SCCs are already directly applicable to the relevant data importers as a result of Article 3(2) GDPR. It can be expected, however, that the European Commission will still want to emphasise third-party beneficiary rights for data subjects, the need to assess the potential impact of local laws and practices affecting compliance with the SCCs, as well as obligations on data importers around data access by public authorities.
Wim Nauwelaerts Partner
Alston & Bird LLP
1. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (7 June 2021), available at: https://www.dataguidance.com/legal-research/commission-implementing-decision-eu-2021914-4
2. Ibid, p.35.
3. See: https://ec.europa.eu/info/law/law-making-process/types-eu-law_en.
4. Although the ICO has been applying this approach for several years, in the recent consultation that it launched on the topic of international transfers under the UK GDPR, the ICO expressed its intention to move away from this position in the near future. See https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-data-transferred-outside-of-the-uk/, Consultation Paper and Questions, p.11.
5. EDPB-EDPS Joint Opinion 2/2021 on standard contractual clauses for the transfer of personal data to third countries, p.8, available at: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_en
6. Available at: https://edpb.europa.eu/system/files/2021-10/20210914plenfinalminutes_54thplenary_public.pdf