EU: Commission adopts new SCCs - Reactions and analysis
The European Commission announced, on 4 June 2021, that it had adopted two new sets of Standard Contractual Clauses ('SCCs'), one for use between controllers and processors ('the Controller-Processor SCCs') and one for the transfer of personal data to third countries ('the Third Country Transfer SCCs'), following its public consultation on the draft version of the SCCs ('the Draft SCCs'). In particular, the Commission highlighted that the new SCCs reflect the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and take into account the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II Judgment').
In addition, the Commission noted that the new SCCs take into consideration, among other feedback, the joint opinion of the European Data Protection Board ('EDPB') and the European Data Protection Supervisor ('EDPS'), and outlined that they will offer more legal predictability to European businesses and help, in particular, small and medium-sized enterprises to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.
In this Insight, we outline some of the key takeaways and gather the reactions and analysis of EU experts with regards to the impact of SCCs on the data transfer landscape.
Eduardo Ustaran, Partner at Hogan Lovells International LLP, commented, ''My initial view is that the adoption of a new set of SCCs will be a game-changer with important implications for data transfers between EU and non-EU countries. For starters, all existing contracts relating to data transfers will need to be revised, which will make thousands of organisations re-focus their attention from general GDPR compliance to international data transfers.''
Third Country Transfer SCCs
Background and overview
Article 46(2)(c) of the GDPR outlines that appropriate safeguards for data transfers to third countries may be provided for through standard data protection clauses adopted by the Commission.
Although the Schrems II judgment found SCCs to be a valid mechanism for international data transfers, it provided that additional clarifications needed to be taken into consideration when they are used and thus placed the onus on the data exporters and importers to ensure an adequate level of protection for personal data through third country assessments.
The Third Party Transfer SCCs aim, among other things, to provide an overview of the different steps companies have to take to comply with the Schrems II judgment, as well as examples of possible 'supplementary measures', such as encryption, that companies may take if necessary, whilst also aiming to generally reflect the wording and requirements of the GDPR.
In addition, the Commission outlined that the Third Country Transfer SCCs:
- include one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- offer more flexibility for complex processing chains, through a 'modular approach' and by offering the possibility for more than two parties to join and use the clauses; and
- offer a practical toolbox for compliance with the Schrems II judgment.
Recital 10 of the Implementing Decision for the Third Country Transfer SCCs outlines that 'the SCCs set out in the Annex to this Decision combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains.'
Further to the above, Ustaran highlighted that, "The key difference between the old and new SCCs will be the new modular approach, so organisations will need to carefully consider whether they are a controller or a processor and identify the correct module in light of their role."
Accordingly, the Third Country Transfer SCCs are divided into the following four distinct modules:
- Transfer controller to controller;
- Transfer controller to processor;
- Transfer processor to processor; and
- Transfer processor to controller.
Where applicable, the Third Country Transfer SCCs specify how the provisions would apply to each of the relevant modules and include requirements in relation to:
- purpose limitation;
- duration of processing and erasure or return of data;
- sensitive data; and
- onward transfers.
The Third Country Transfer SCCs also regulate the use of sub-processors where applicable.
Carlo Piltz, Partner at reuschlaw Legal Consultants, pointed to the processor-processor module, stating, "It is particularly positive for practice that the new SCCs can also be used for the relationship between two processors. This gap had existed for many years (even under the Data Protection Directive) and is now closed. This means that a processor established in the EU can now conclude the contract directly with a subcontractor in a third country. It is no longer necessary for the controller to conclude the contract. "
In relation to this, Marton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP, commented, "It is welcome that the Third Country SCCs regulate onward transfers, because the GDPR mentions it only briefly. Considering the complexity of international data transfers, the supervision of onward transfers will require extensive due diligence obligations on behalf of the companies. Although onward transfers already regulated by the GDPR, such regulation was merely theoretic - companies did not have the resources and, sometimes, the will, to 'flow down' their SCCs to onward transfers. This will change now."
In addition, Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy, Fox Rothschild LLP, highlighted that, "There is an emphasis on transparency meaning that data subjects should be given a copy of the SCCs and be informed, in particular, of the categories of personal data processed, the right to obtain a copy of the SCCs and any onward transfer. [Additionally, there is an] obligation of transparency on the data importer [and] transparency in the event of a data breach and regulatory investigations."
Schrems II compliance
Local laws and obligations
Clause 14 of the Third Country Transfer SCCs provides that parties must confirm that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the clauses of the SCCs. In particular, the Third Country Transfer SCCs require parties to declare that they have taken into consideration a number of elements, including the specific circumstances of the data transfer, the laws and practices of the third country of destination, as well as any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the clauses.
Further, the Third Country Transfer SCCs require parties to document the above assessment and oblige the data importer to agree to notify the data exporter if it has reason to believe that it is, or has become, subject to laws or practices not in line with the requirements.
Moreover, Clause 15 of the Third Country Transfer SCCs requires the data importer to notify the data exporter and, where possible, the data subject promptly if it receives a legally binding request from a public authority or becomes aware of any direct access by public authorities to personal data transferred pursuant to the Third Country Transfer SCCs.
In reference to the above, Kagan noted, "the risk-based approach is back as parties are required to take into consideration the specific circumstances of the case including the nature and scope of the data, nature of recipient, length of supply chain etc., as well as whether or not national security requests had been made in the same sector and even, the documented practice experience of the data exporter and data importer."
On the same, Jimmy Orucevic, Data Protection & Privacy Consultant at KMPG Switzerland, commented, "Under Clauses 14 and 15 one could argue that a risk-based approach seems to be possible (i.e. a Transfer Impact Assessment) but according to EDPB recommendations 'objective factors' (regardless of likelihood of occurrence) are decisive."
Technical and organisational measures
The Third Country Transfer SCCs outline that importers and exporters must implement technical and organisational measures to ensure the security of data. Specifically, Annex II of the Third Country Transfer SCCs lists examples of measures, including measures for:
- pseudonymisation and encryption of personal data;
- ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- access and availability of the data;
- protection of data during transmission and storage;
- user identification and authorisation;
- ensuring physical security;
- events logging;
- data minimisation; and
- limited data retention.
Compliance and enforcement
In relation to the enforcement of the Third Country SCCs, Domokos noted that, "Previously, organisations did not put too much effort into these issues, mainly due to the lack of expectance from regulators. SCCs were treated as an automatically used annex to the underlying agreements. Considering the recent scrutiny of the regulators in relation to third country data transfers, we expect that in case of a regulatory request, data exporters must be able to prove that they enforced their audit rights, and data importers have fulfilled their respective obligations. Again, this will require the introduction of new compliance procedures, and the allocation of more resources on behalf of the organisations."
The Controller-Processor SCCs aim to ensure compliance with Article 28(7) of the GDPR and Article 29(7) of the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. The Controller-Processor SCCs outline the obligations of the parties in relation to:
- the instructions to be provided by the data controller to the data processor in relation to the processing activities;
- the security of processing, specifically the implementation of technical and organisational measures;
- the processing of sensitive data;
- the use of sub-processors, both with the prior authorisation of the controller or with the controller general written authorisation;
- international data transfers;
- the processor's assistance of the controller in relation to, among others, data subject requests and DPIAs and prior consultation; and
- data breach notification requirements.
Furthermore, the Controller-Processor SCCs also address non-compliance with the clauses and termination of the SCCs.
Instruction rights of controllers
In particular, Domokos highlighted, "It is welcome that the Controller-Processors SCCs detail the subsequent instruction rights of the data controller clearly, because it is a common situation in the day-to-day cooperation between controllers and processors, yet not regulated by the GDPR. However, there is a risk that the processor's compliance with subsequent instructions may require the performance of supplemental services or variations to existing services for additional charges, and the Controller-Processors SCCs do not regulate this scenario. Therefore, the parties should add a formal change control to the Controller-Processor SCCs to avoid future disputes."
Clause 7.6 of the Controller-Processor SCCs addresses documentation and compliance and provides: '[…] At the controller's request, the processor shall also permit and contribute to audits of the processing activities covered by these clauses, at reasonable intervals or if there are indications of non-compliance […] The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice […]'
Domokos highlighted, "Until now, we have not seen detailed regulatory practice for the frequency, form, and scope of audits by the controller that the supervisory authority would consider appropriate in controller-processor relations. Now the Controller-Processor SCCs have introduced certain details (compared to the GDPR) on the timing; however, terms such as 'reasonable intervals' (when the audits can be conducted) and 'reasonable notice' can be interpreted flexibly and may give rise to disputes between the parties."
Clause 7.7 of the Controller-Processor SCCs regulates the processor's authorisation to subcontract its processing authorities, including an option to either agree that prior specific authorisation from the controller is required, or that the processor has the controller's general written authorisation to engage sub-processors from an agreed list.
Analysing the general authorisation option, Domokos noted, "The Controller-Processor SCCs state that the controller shall have sufficient time to be able to object to the changes in the scope of the permitted sub-processors. In practice, it is a recurring question how the parties can handle a 'deadlock' situation, i.e. what kind of rights the controller may have when the processor insists on the engagement of the new sub-processors. Unfortunately, the Controller-Processor SCCs do not regulate such a situation either."
New co-operation obligation for processors
In addition, Domokos called attention to an addition to Clause 8 of the Controller-Processor SCCs, "It is remarkable that the Controller-Processor SCCs introduce, a brand-new cooperation obligation for the processor: 'the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated'. This obligation does not stem from the GDPR, and I have not seen similar undertakings in customised controller to processor agreements either. For me, it is uncertain how the processor can comply with such an obligation in practice - it requires a more detailed procedure to monitor data accuracy, and the greatest question is how the processor can 'become aware' of the inaccuracy of the data. For example, can the processor rely on a notification from a data subject and merely forward it to the controller, or does the processor have further obligations to actively verify the contents of such a notification?"
Technical and organisational measures
Domokos further noted that the explanatory note in Annex III on the description of the technical and organisational security measures "will be very useful for controllers and processors." Elaborating on this, Domokos outlined, "In our experience, customised agreements still do not contain proper and detailed description of these measures - now the parties must provide information (and agree on) such measures with a view to the practical examples set out in the Controller-Processor SCCs."
Notably, the Commission highlighted that for controllers and processors that are currently using previous sets of standard contractual clauses, a transition period of 18 months is provided. By contrast, the Draft SCCs had envisaged a transition period of 12 months.
Piltz highlighted, "It is particularly important for companies [to review] how they now deal with already completed old SCC (based on the Data Protection Directive). Recital 24 of the Implementing Decision contains the following requirements in this regard: after the entry into force of the decision on the new SCC, a transition period of 3 months still runs, during which companies can continue to use the old SCC. At the end of the 3-month period, the old SCCs will be discontinued. This is followed by a further transition period of 15 months. During these 15 months, data transfers can still take place on the old SCCs if these SCCs were completed before the expiration of the first period (3 months). This means that, in a period of 3 months, the old SCC can still be concluded for the first time. After that, existing transmissions based on the old SCC are protected for 15 months. Of course, these old SCCs must also meet the requirements of the Schrems II decision and the guidance from the EDPB, [in particular with respect to the implementation of] additional supplementary measures."
Implementation of new SCCs
In relation to practical implementation of the Third Country Transfer SCCs, Orucevic outlined, "Now it will be a matter of converting the contract modules into templates that are suitable for everyday business (including the Transfer Impact Assessment). All in all, the effort of handling third country transfers and documentation will remain quite high. The new SCCs will not be providing the 'simplification' of transfers some were hoping for. Concluding new SCCs alone will not be sufficient to comply with Schrems II requirements."
Angela Potter Lead Privacy Analyst
Alexis Galanis Privacy Analyst
Comments provided by:
Eduardo Ustaran Partner
Hogan Lovells LLP, London
Márton Domokos Senior Counsel
CMS Cameron McKenna Nabarro Olswang LLP, Budapest
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
Dr. Carlo Piltz Partner
reuschlaw Legal Consultants, Berlin
Jimmy Orucevic Data Protection & Privacy Consultant