EU: Commission releases long-awaited SCCs for international data transfers
On 4 June 2021, the European Commission released the long-awaited final version of the new Standard Contractual Clauses1 ('SCCs') for international transfers of personal data. Drafts of the Commission's implementing decision and the new SCCs were published in November 20202. Different stakeholders, ranging from industry representatives to privacy activists, were invited to comment on the draft SCCs during a period of public consultation, which closed in December 2020. In addition, the European Data Protection Board ('EDPB') together with the European Data Protection Supervisor ('EDPS') issued a 'Joint Opinion 2/2021 on the European Commission's Implementing Decision on standard contractual clauses for the transfer of personal data to third countries3' in January 2021. David Dumont and Laura Léonard, from Hunton Andrews Kurth LLP, discuss the key revisions made since the release of the initial draft SCCs in November 2020.
The Commission has taken several months to evaluate responses to its consultation and revise the draft SCCs in light of this feedback. The updated draft SCCs were then reviewed by representatives of the EU Member States and approved through the comitology procedure.
The SCCs are the most frequently used mechanism when organisations subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') seek to ensure appropriate safeguards for the transfer of personal data to recipients in non-adequate countries outside the European Economic Area ('EEA').
The current sets of SCCs were adopted by the Commission many years ago under the Data Protection Directive (Directive 95/46/EC). An update was urgently needed to reflect the more detailed EU data protection framework introduced by the GDPR, as well as to accommodate the complexity of modern data processing chains.
With the new SCCs, the Commission also aims to address the issues raised in the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) ('the Schrems II Case'). Following the Schrems II Case, organisations relying on any of the transfer mechanisms provided under Article 46 of the GDPR (including the SCCs) must assess the level of protection afforded to personal data in the recipient country on a case-by-case basis. One of the key elements of this transfer risk assessment is whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If that is the case, supplementary measures must be implemented to ensure a level of protection that is essentially equivalent to the level of data protection in the EU. As further discussed below, the new SCCs introduce a number of contractual provisions that are designed specifically to mitigate government surveillance risks.
Content of the SCCs
In the new SCCs, the Commission has adopted a modular structure. In addition to general clauses that apply to all international data transfer scenarios, the new SCCs contain a number of modular clauses that the parties select depending on their respective status under the GDPR. As such, the new SCCs accommodate four distinct transfer scenarios, i.e. controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. With this approach, any type of organisation (controller or processor) subject to the GDPR can now rely on SCCs when transferring personal data to any type of recipient (controller, processor, or sub-processor) outside the EEA.
The general clauses address:
- the parties' obligation to ensure that the laws in the recipient country do not prevent the data importer from fulfilling its obligations under the SCCs – in particular, any requirements for the data importer to comply with data disclosure or access requests from public authorities;
- the data importer's obligations with respect to such government disclosure and access requests to transferred data, including the obligation to notify the data exporter, review the legality of a request, and to minimise access or disclosure to the data to what is strictly necessary under the request;
- data subjects' redress mechanisms with respect to the SCCs;
- the parties' respective liability in the event of a breach of the SCCs;
- competence of the relevant supervisory authority;
- obligations of the parties in the event that the data importer is unable to comply with the SCCs;
- termination of the SCCs;
- the parties' choice of law, which needs to allow for third-party beneficiary rights; and
- the choice of forum and jurisdiction in the event of a dispute arising from the SCCs.
The new SCCs also provide an optional 'docking clause' that allows the accession of additional parties during the life-cycle of the contract, thereby providing more flexibility for evolving relationships and circumstances (e.g., acquisitions).
Depending on the relevant transfer scenario, the modular clauses address:
- the data protection safeguards that the parties must implement corresponding to their role under the GDPR (including the right to give instructions/obligation to comply with the other party's instructions, transparency obligations, purpose limitation restrictions, accuracy requirements, data minimisation and storage limitation restrictions, requirements with respect to erasure and return of personal data, information security provisions, specific safeguards with respect to transfers of sensitive data and data relating to criminal convictions and offences, onward transfer related provisions, and the parties' accountability obligations);
- the appointment of sub-processors (for controller-to-processor and processor-to-processor transfer scenarios);
- data subject rights and the parties' obligations in the event of a data subject rights request; and
- the parties' respective liability under the SCCs.
An important innovation introduced by the new SCCs is that the modular clauses for controller-to-processor or processor-to-processor transfer scenarios now contain the data protection obligations that must be included in data processing agreements pursuant to Article 28 of the GDPR. This resolves the current situation in which data exporters must supplement SCCs with additional provisions when transferring data to a processor located outside the EEA in order to meet their obligations under Chapter V of the GDPR and Article 28 of the GDPR.
In addition to the general and modular clauses, the new SCCs contain an appendix with a number of annexes that must be completed by the parties. Generally, the annexes to the new SCCs require a greater level of detail than the former sets of SCCs. In Annex I, the data exporters and importers must be identified and the details of the transfers should be described. The data transfer description includes: the categories of data subjects whose data is transferred; the categories of data transferred; the purpose(s) of the transfers and further processing; the maximum retention period and, for transfers to (sub)-processors, the subject matter, nature, and duration of the processing. Furthermore, the parties should identify the competent supervisory authority. In Annex II, the data importer(s) will need to provide a description of the technical and organisational measures that are or will be implemented to ensure that the transferred data is appropriately secured. Annex III should be used to list any sub-processors that are involved in the processing of the transferred data.
Key changes between draft and final SCCs
Overall, the final version of the new SCCs does not substantially deviate from the draft version of the SCCs that was released by the Commission in November 2020. Most changes amount to clarifications rather than substantive amendments. That said, certain revisions are worth a closer look.
The Commission has made a remarkable change in its implementing decision that, among others, defines the scope of use of the new SCCs. It provides that organisations may use the SCCs to provide appropriate safeguards within the meaning of Article 46 of the GDPR when transferring personal data to a data importer outside the EEA. In the final version of the implementing decision, the Commission added that the SCCs may be used for such transfers only to the extent that the importer's processing activities do not fall within the scope of the GDPR.
This additional wording seems to suggest that the Commission takes the view that data transfers to importers established outside the EEA that fall within the GDPR's extraterritorial reach (set forth under Article 3.2 of the GDPR) are not subject to the transfer restrictions imposed under Chapter V of the GDPR and, hence, do not trigger the need for a transfer mechanism. If this interpretation were accurate, this would have a significant impact for many organisations established outside the EEA that do business and/or monitor the behaviour of individuals in the EEA, as these would no longer need to put in place data transfer mechanisms to receive personal data originating from the EEA. Given the significance of this position, the Commission likely would have been more explicit on the point. Furthermore, this position does not seem to be reflected in the SCCs themselves. For example, the clauses concerning onward data transfers remain silent about situations in which personal data would be transferred onward to a recipient that is not directly subject to the GDPR. Further clarification from the Commission on this point would, therefore, be useful.
Schrems II Case
In the final version of the SCCs, the Commission decided to dedicate a separate section of the SCCs (i.e., Section III – Local Laws and Obligations in case of Access by Public Authorities) to Schrems II related obligations, instead of embedding these obligations throughout the text of the SCCs. In particular, the new SCCs require the parties to carry out a transfer risk assessment and set forth a number of obligations with respect to handling requests from government authorities to access personal data transferred under the SCCs.
When conducting transfer risk assessments, the parties should consider the specific circumstances of the transfers (including the length of the processing chain, number of actors involved and transmission channels used, intended onward transfers, etc.), the legal framework of the destination country (including case law, reports of oversight bodies, other requests in the data importer's sector, and the practical experience of the data importer with respect to government access requests within a representative timeframe), and any relevant supplemental contractual, technical, and organisational safeguards that have been put in place. The latter point indicates that SCCs alone may not be sufficient to ensure a level of protection that is essentially equivalent to the EEA in situations where a transfer risk assessment identifies specific risks related to the transfer which cannot be sufficiently mitigated by the safeguards embedded in the SCCs. On this point, the final guidance from the EDPB (anticipated within weeks) will hopefully shed some light.
With respect to the handling of government access requests, the final version of the new SCCs imposes a number of duties on the data importer, including an obligation to: (i) notify the data exporter (and where possible even the data subjects) of the request; (ii) obtain a waiver to any restrictions on the communication of relevant information in response to the government access request from the data exporter; (iii) maintain and provide information on government access requests on an ongoing basis; (iv) review the legality of any requests; and (v) ensure compliance with the data minimisation principle by disclosing only personal data that is strictly necessary and limiting the scope of the request to the extent possible.
Overall, the Commission has not made significant changes to the general clauses compared to the draft SCCs that were released in November 2020. Some minor changes include:
- The liability provisions have been slightly amended to remove the limitation of liability on actual damages suffered, which was included in the draft SCCs.
- For data exporters with an establishment in the EEA, the supervisory authority competent to oversee the transfers under the new SCCs will be that of the jurisdiction in which the exporter's relevant establishment is located. For non-EEA organisations subject to the GDPR pursuant to Article 3.2 of the GDPR, the Commission has clarified in the final version of the new SCCs that the competent supervisory authority will be that of the jurisdiction in which the organisation's EEA data protection representative is located (appointed pursuant to Article 27 of the GDPR). However, if the non-EEA organisation has not appointed an EEA data protection representative, the competent supervisory authority will be the authority in one of the Member States in which data subjects are located.
The new SCCs require organisations to provide data subjects, free of charge, with a copy of the SCCs upon request. They also permit organisations to redact any portions of the Appendix to the SCCs prior to disclosure, provided that they inform data subjects of the reasons for such redactions upon request.
Controller-to-controller modular clauses
With respect to the controller-to-controller modular clauses, the following changes are worth noting:
- The final version of the new SCCs provides more flexibility for the importing controller to process the transferred personal data for purposes other than the specific purpose(s) of the transfer, including where it has obtained the data subject's prior consent, where necessary for the establishment, exercise, or defence of legal claims or where necessary to protect the vital interests of the data subject.
- Similarly, additional grounds to legitimise onward transfers are introduced, including where necessary for the establishment, exercise, or defence of legal claims, or where necessary to protect the vital interests of the data subject.
- With respect to onward transfers and related transparency requirements, the final version of the SCCs allow the data importer to inform data subjects about the identified recipients, or the categories of recipients. This, however, does not apply when relying on consent for onward transfers. In the latter case, the data importer must inform data subjects about the exact identity of the data recipient(s).
Controller-to-processor modular clauses
The controller-to-processor modular clauses included in the final version of the new SCCs differ in the following respects:
- The final version of the SCCs imposes on the data importer the obligation to carry out regular checks to ensure that the technical and organisational measures implemented to secure personal data are sufficient (i.e., ongoing monitoring of the appropriateness of the information security measures).
- In the audit clause, the Commission removed the possibility for the data importer to appoint/mandate its own independent auditor: either the data exporter conducts the audit itself or it mandates an auditor.
- Interestingly, the Commission also moved away from requiring parties to make a selection from various options with respect to the deletion or return of data following completion of the processing services. Instead, the final version of the SCCs now closely mirrors the language of Article 28 of the GDPR in this respect and affords that choice to the data exporter, i.e. the controller.
- On data subject rights, the SCCs now request the parties to set out in Annex II the technical and organisational measures implemented by the data importer to assist the importer in accommodating data subject rights requests.
- With respect to the use of sub-processors, data importers will be required to provide additional information to the data exporter to enable the latter to take a decision with respect to the authorisation of the use of a specific sub-processor and to exercise its right to object. Another point to note is the fact that the final version of the SCCs slightly lowers the threshold for sub-processing agreements by requiring an agreement that has 'in substance' the same data protection obligations, instead of requiring the 'same' data protection obligations.
Processor-to-processor modular clauses
With respect to processor-to-processor transfers, the new SCCs require the exporting processor to make the results of an audit that was carried out under the instructions of the controller available to such controller.
Processor-to-controller modular clauses
The processor-to-controller modular clauses generally impose more comprehensive data protection obligations on the exporting processor to ensure that the new SCCs meet the standards of Article 28 of the GDPR. This includes data deletion or return obligations at the conclusion of the processing services, an obligation to cooperate with the data importer to implement appropriate information security measures and data breach reporting obligations vis-à-vis the data importer.
Finally, the following changes were made to the Appendix and related Annexes:
- The Appendix now includes an explanatory note to assist organisations in completing the Annexes with the appropriate level of detail. For example, the explanatory note clarifies that generic statements are not sufficient for the description of the security measures implemented.
- In the final version of the SCCs, Annex I requires identification of the respective roles of the parties, i.e. controller or processor. To the extent that a party has different roles and undertakes different processing activities in connection with the same relationship, separate versions of Annex I may be required.
- For processor-to-processor relationships, it is no longer required to identify all controllers on whose behalf the exporting processor is processing the transferred personal data in Annex I.
- In Annex I, the parties now also need to give an indication of the frequency of the data transfer (e.g., whether the data is transferred on a one-off or continuous basis).
- Finally, the identity of the competent supervisory authority for each party must be identified in Annex I.
The new SCCs will become effective on the twentieth day after publication in the Official Journal of the European Union, i.e. on 27 June 2021. The existing SCCs will be repealed three months after the new SCCs enter into force. This means that, as from 27 September 2021, organisations will no longer be able to rely on the former sets of SCCs for new data transfers. Data transfer agreements that incorporate the former sets of SCCs will continue to be considered as providing appropriate safeguards for a period of 18 months after the new SCCs are published in the Official Journal, provided that the processing operations that are the subject matter of those agreements remain unchanged.
Importantly, later this month the EDPB is expected to adopt a final version of its guidance on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data following the Schrems II Case. This will hopefully provide further clarification of organisations' obligations with respect to international data transfers under the GDPR.
The new SCCs do not constitute 'retained EU law' and UK companies will, therefore, not be able to rely on them to legitimise data transfers from the UK. The UK Information Commissioner's Office is, however, expected to adopt its own set of standard contractual clauses for data transfers from the UK in the near future.
1. See: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
2. See: https://www.dataguidance.com/opinion/eu-new-draft-sccs-commission
3. See: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_en