Background

On 4 June 2021, the Commission adopted two new sets of SCCs, one for use between controllers and processors ('the Controller-Processor SCCs') and one for the transfer of personal data to third countries ('the Third Country Transfer SCCs'), updated to reflect the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and to take into account the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment').

Following an initial three-month transition period, organisations were required to introduce the new SCCs into any new contractual agreements. However, existing contracts including the old SCCs remain valid until 27 December 2022, at which point all contracts will need to be updated with the new SCCs.

Among other practical challenges, the Third Country Transfer SCCs, under Clause 14, require contracting parties to commit to the performance of what have now become to be known as Transfer Impact Assessment ('TIAs') to determine whether the circumstances of the data transfer allow for an essentially equivalent level of protection to the GDPR to be ensured, and, in the case of a negative assessment, the implementation of supplementary measures to ensure the same, with guidance on the process provided by the European Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools.

Key takeaways from the Q&A

1. SCC signature

Questions 6-10 of the Q&A are dedicated to guidance clarifying contractual requirements including the signature of, potential modifications to, and relationship of the new SCCs with other contractual provisions.

Among other clarifications, the Commission confirmed that SCCs may be incorporated into broader commercial contracts, provided that the other contractual provisions do not contradict the SCCs or prejudice the rights of data subjects (Question 8) and, in relation to incorporation by reference, that the SCCs have to be signed by and binding on all parties, and incorporated into their contract, in accordance with civil law requirements from the chosen jurisdiction (Question 10).

As an important starting point, however, this section of the Q&A addresses requirements and conditions related to the actual signing of the SCCs.

Guidance in this area is particularly timely, according to Marton Domokos, Senior Counsel at CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe, who explained to OneTrust DataGuidance:

"Most of the companies who started updating their SCCs are now in the signing phase. In case of multinational companies, we found that it is actually this process which causes a significant amount of administration – identifying and contacting the (often C-level) signatories, explaining them the SCCs and the reason of their update, and collecting the signatures from multiple countries is a real administrative challenge. This is a true story, and I don’t think that the Commission ever imagined that when drafting the SCCs – we spent considerable amount of time on advising how the SCCs’ signature block should look like, and what is the easiest way to have them signed".

Among the clarifications provided by the Commission, Question 6 highlights that the use of the SCCs requires parties to fill in the annexes to the SCCs and sign Annex I. In terms of the execution of such signature, the Commission is less definitive in its guidance, providing that 'the SCCs do not contain any requirements on how the signature should be formalised (e.g., whether it can be done electronically). This is left to national (civil/contract) law governing the agreement'.

For Carlo Piltz, Founding Partner at Piltz Legal, this provides an important practical clarification regarding whether SCCs require party signature:

"In the opinion of the Commission, this seems to be the case […] At the same time, however, the Commission also makes it clear that it is crucial that the SCCs are agreed upon in a binding manner. How the signature is to be formally executed (e.g. electronically) is left to national law by the Commission. The Commission's view here seems rather strict to me. Under national contract law, contracts can also be concluded and be binding without a final signature on a document. However, companies should keep the Commission's view in mind when concluding SCC."

For his part, Domokos added that the Commission's guidance on the form of SCC signature provides "much more flexibility", noting that parties and the signatories "can use various digital signature tools and even delegate the signing tasks through a local Power of Attorney".

2. SCCs do not apply to importers subject to GDPR via Article 3 application

The Q&A offers a section of questions dedicated to clarifying the scope of the Third Country Transfer SCCs and the application of the various modules to different transfer scenarios.

As a starting point, the Commission clarifies that the SCCs can be used:

• by controllers and processors in the EEA to transfer data outside the EEA, in particular:
  • by an EEA controller to transfer personal data to a controller or processor outside the EEA that is not subject to the GDPR; or
  • by an EEA processor to transfer personal data to a sub-processor or to a controller outside the EEA (on whose behalf it is processing the data) that is not subject to the GDPR; OR
• by non-EEA controllers and processors for data transfers related to these processing operations to non-EEA entities, in particular:
  • by a controller outside the EEA whose processing is subject to the GDPR to a controller or processor outside the EEA that is not subject to the GDPR; or
  • by a processor outside the EEA whose processing is subject to the GDPR to a sub-processor or to a controller outside the EEA (on whose behalf it is processing the data) that is not subject to the GDPR.

However, following the precedent set by the EDPB's draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, adopted on 18 November 2021, the Commission confirmed that the Third Country Transfer SCCs cannot be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR by virtue of the extraterritorial application of Article 3 of the GDPR, and further confirmed that it is in the process of developing new SCCs for this scenario.

Piltz identifies the practical implications implied by this clarification:

"This means that, for example, SCCs may not actually be concluded with service providers in a third country who are already subject to the GDPR anyway because of the services they offer in the EU. In practice, however, SCCs have very often been concluded in precisely these cases in recent months. The background to this is that in practice it was partly assumed that the Commission would not issue SCCs that do not apply in these situations of applicability of the GDPR to the recipient. Because this is likely to be true in most cases. So, very harshly speaking, many SCCs now concluded are not valid or do not form a basis for data transfers. However, this result is not satisfactory from a company perspective. We will have to wait and see how the authorities assess these situations".

3. Same parties may adopt several modules

Additionally, the Q&A provides guidance on the application of the four distinct modules of the Third Country Transfer SCCs, which are divided as follows:

1. transfer controller to controller;
2. transfer controller to processor;
3. transfer processor to processor; and
4. transfer processor to controller.

In addition to providing practical examples of when and how to apply these modules (Question 27), the Commission clarified that several modules may be agreed between the same parties at the same time (Question 28). More specifically, the Commission outlined that parties may assume different roles for different data transfers taking place between them as part of their overall contractual relationship, and that when this is the case, they should use the appropriate module for each such transfer.

This represents an important clarification for Piltz, who highlighted, "[t]his means that in practice companies can conclude SCC once and then have to choose the appropriate module depending on their role for the respective transfer. However, it is not necessary to always conclude completely new SCC for each change of role (controller or processor)".

4. SCC liability cannot be limited by general clauses

Question 35 stands out for Domokos as an important clarification to a previously unanswered question: can liability under the SCCs be limited by general liability clauses in the main services/commercial agreement?

Domokos explains, "[i]n practice, limitation of liability provisions are common in case of service or similar agreements, where the parties also share personal data – e.g. in case of cloud services. Until now, it was an unanswered question whether the limitation of liability in the main contract (e.g. cap for direct damages, exclusion of indirect damages etc.) is acceptable for data protection related liabilities as well – the GDPR was silent of limitation of liability, and there was no regulatory practice either".

The Commission provides the following answer to this question: 'SCCs regulate two types of liability: (1) liability of the parties towards data subjects (see Module 1 and 4, Clause 12(b) and (c); and Module 2 and 3, Clause 12(b), (c) and (e) of the SCCs) and (2) liability between the parties (see Module 1 and 4, Clause 12(a); and Module 2 and 3, Clause 12(a) of the SCCs). Other clauses in the broader (commercial) contract (e.g. special rules on the distribution of liability, liability caps in the relationship between the parties) may not contradict or undermine these liability schemes of the SCCs.'

With that clarification provided, Domokos concludes that "it should be clear that limitation of liability provisions do not cover data protection related non-compliance".

5. A risk-based approach to TIAs?

The final set of questions of the Q&A addresses third-country laws and government access with a view to guiding compliance with Clause 14 of the Third Country Transfers SCCs, which requires parties to carry out TIAs. Notably, the Commission highlighted that when carrying out TIAs, the parties should consider the specific circumstances of the transfer (e.g. the categories and format of the data, the type of recipient, the economic sector in which the transfer occurs, and the length of the processing chain) and the laws and practices relevant in this context.

Specifically, the Commission clarified that for this, 'as regards the impact on compliance with the SCCs, the parties may consider different elements as part of an overall assessment […] such as reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer'.

As regards the outcome of such assessment, the Commission recalls that in the event of a negative assessment, the parties may only transfer data based on the SCCs if they put in place supplementary safeguards that address the situation and thus ensure compliance with the Third Country Transfer SCCs, for which purpose the EDPB's Recommendations should be read alongside Clause 14.

Notably, the question of whether considerations, such as the existence of actual requests and the practical experience of the parties to the transfer to inform an assessment of the risk of third-country authority access to personal data (the so-called 'risk-based approach'), are relevant in the assessment of an essentially equivalent level of protection for the purpose of Chapter V of the GDPR has been an issue of contention since the Schrems II decision. Recently, the Austrian data protection authority ('DSB') expressly rejected the possibility of a risk-based approach, outlining its finding that the wording of Article 44 of the GDPR, as well as those provisions under the GDPR where a risk-based approach is expressly established, that the legislator did not intend for a risk-based approach to Article 44 of the GDPR and that it must, as such, be precluded.

Assessing the Commission's response under Question 40, Piltz remarked, "[o]n question 40, I think the Commission does allow for a risk-based approach. However, one has to be careful here. The risk that you have to take as a company lies primarily at the legal level, in the assessment and review of the level of protection on the part of the recipient. Here, it may be that the result is that national law offers sufficient protection to comply with the SCC. The legal risk is that a court or an authority could evaluate this assessment differently. However, the Commission does not explicitly refer to a factual risk-based approach in its response".

Meanwhile, having reviewed Question 40, Domokos told us:

"Parties already adopt a risk-based approach to TIAs. In our experience, whilst companies are working on the update of their old SCCs smoothly (because it is a rather clear process according to the new template), they prefer a 'wait and see' approach regarding TIAs. Namely, companies exchange experience with each other on the preferred format of the TIAs, and keeping their eye on the regulators' attitude […] Unfortunately, the Commission's Questions and Answers do not provide more details than the EDPB’s guidelines, so – apologies for being blunt – Question 40 is not really helpful in this respect. For example, the answer to Question 40 is using the term 'negative assessment', but does not provide further details on the criteria of such an assessment. Strictly speaking, if a non-EEA country did not receive an 'adequate' status from the Commission, it may always be in the 'negative assessment' category – otherwise, it would have already been 'adequate'. Instead of general criteria and 'risk-based approach', it would be more helpful for companies to have an official (Commission or EDPB-approved) list of specific technical, organisational and contractual measures that they can choose from. Case-by-case decision making on the relevant measures in case of each transfer / TIA is impossible in case of a multinational with complex data flows".

Where is further guidance needed?

With an eye beyond the deadline, Domokos highlighted an upcoming operational challenge in the form of reviewing and auditing transfers, highlighting that "[t]he next task is the recurring audit of the data transfers. Unfortunately, the Questions and Answers do not provide too much details on this – e.g. the frequency of such audits, the specific scope, the extent (e.g. how the sub-processors should be audited) and the technical challenges (e.g. on-site audit in case of a cloud computing service). We expect that this will be another challenge for both companies and regulators".

Alexis Galanis Lead Privacy Analyst
[email protected]

With comments provided by:
Marton Domokos Senior Counsel
[email protected]
CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe, Budapest

Dr. Carlo Piltz Founding Partner
[email protected]
Piltz Legal, Berlin