EU: EDPB and EDPS joint opinion on cross border transfer SCCs
The European Data Protection Board ('EDPB') and European Data Protection Supervisor ('EDPS') have issued their Joint Opinion 2/2021 on the European Commissioner's Implementing Decision on standard contractual clauses for the transfer of personal data to third countries1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses what the opinion sets out and what it means for US based companies and multinationals.
The EDPB's Supplementary Measures are here to stay
The Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the Supplementary Measures') will remain relevant and should also be applied after the adoption of the Draft Standard Contractual Clauses ('SCCs').
The EDPB and EDPS call upon the European Commission ('the Commission') to clarify that there may still be situations where, despite the use of the new SCCs, ad-hoc supplementary measures will remain necessary to be implemented in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU.
SCC's may apply to non-EU entities which are subject to GDPR
The EDPB and the EDPS recommend that the Commission clarify that the fact that the proposed SCCs only apply to transfers to third parties not [emphasis added] subject to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), does not in itself mean that transfers to non-EU entities subject to GDPR under Article 3(2) are not subject to Chapter V of the GDPR requirements for cross border transfers to third countries.
It's not clear how the SCC modules work
The Commission should clarify (by way of additional guidance) whether:
- one set of the SCCs can include several modules in practice to address different situations, or whether this should amount to the signing of several sets of the SC; and
- the controller-to-controller module can be used for transfers between and among joint controllers or only separate controllers.
For cross border transfers, use the cross border SCCs
If you need both Articles 28 (controller processor) and 46 (cross border transfer) of the GDPR clauses - use the cross border clauses.
The Commission should clarify what are provisions which are contradictory to the SCC's (and negatively impact or prevent compliance with them).
Third party beneficiary rights should be listed
The Commission should list the rights that are enforceable by data subjects as third party beneficiaries.
Per the EDPB/EDPB, this should include, at minimum:
- third party beneficiary clause;
- interpretation and hierarchy of documents clause;
- data importer's obligation to deal with the data exporter's inquiries (or vice versa depending on the module);
- data exporter's obligation to inform the data importer that it acts under the controller's instructions;
- data importer's obligation to process the personal data under the controller's instructions and those transmitted by the data exporter;
- data importer's obligation to inform the data exporter when the data importer is unable to follow those instructions and the data exporter's obligation to notify it to the controller;
- non-compliance with sub-processing commitments may have an impact on data subjects and their rights; and
- data importer's agreement to cooperate with the competent supervision.
No essential equivalence, no supplementary measures - no transfers
The Commission should clarify that the SCCs apply only to situations where, at the time of the conclusion of the contract, either the relevant law(s) of the third country was (were) assessed to be providing an essentially equivalent level of protection to that guaranteed within the EU, or where effective supplementary measures to remedy the potential deficiencies identified in such legislation and/or practices and to ensure the effective application of the safeguards contained in the Draft SCCs have been put in place.
The clauses should also apply in the absence of laws in the third country that relate to government access to personal data - in the absence of such laws, the parties should nevertheless, based on any available information, strive to identify any practice applicable to the data transferred preventing the data importer from fulfilling its obligations.
Documented transfer impact assessment
The SCCs should require that the documented transfer impact assessment be attached as an exhibit to the clauses.
No risk based approach
The assessment of whether there is anything in the law or practice of the third country of destination, which prevents the data importer from fulfilling its obligations under the draft SCCs in the context of the specific transfer, should be based on objective factors, regardless of the likelihood of access to the personal data.
The mere fact that the data is comprised within the scope of a third country legislation that allows access to data by public authorities without specific essential guarantees would amount, per se, to considering that such access will possibly take place, without the need to rely on any practical experience in this regard or absence of requests for disclosure from public authorities received by the data importer.
Data subject requests should be handled by the data exporter
Data subject requests should be handled by the data exporter, or (for example if the exporter is outside of the EU) as otherwise agreed by the parties. The parties should also commit to assist and cooperate with each other when handling data subjects' requests.
There should be more transparency
When providing information, controllers should include the types of personal data processed by the data importer, and the period for which personal data will be stored by the latter (or criteria used to determine it).
Individuals should have the right to access, upon request: (i) precise information on onward transfers including sub-processors (full contact details); (ii) precise information on the time period the data will be stored (or the criteria to determine it); and (iii) any available information as to the source of collection where the data is not collected directly from data subjects.
Individuals should be able to file claims with the supervisory authorities
The clauses should clarify the data importer must accept the right of the data subject (who invokes his or her rights as a third-party beneficiary) to lodge directly a complaint with an EEA supervisory authority and/or bring a claim before an EEA court without the need to seek an amicable resolution of the dispute in advance. The clauses should stipulate that data subjects shall be able to choose to lodge a claim before the supervisory authority of their habitual residence, place of work, or place of the alleged infringement.
The annexes should be precise and detailed
The annex to the contract should be precise enough so it is possible at any point in time to determine who takes which role as regards a specific transfer or set of transfers of personal data.
Each transfer or set of transfers carried out for one or several certain and defined purposes, should be separately described on the basis of its/their purpose(s), the types of personal data transferred, the category or categories of data subjects, the type(s) of processing, and the parties to the transfer (data importer(s) and data exporter(s)), as well as the role of the respective parties (controller(s) or processor(s)).
Such distinct annex required for each transfer or set of transfers should be signed only by those data exporters and data importers which carry out the respective transfer.
Only those specific technical and organisational measures that will be applied to the respective transfer/set of transfers should be enumerated, while technical and organisational measures that will only apply to other transfers / categories of transfers covered by the same Multi Party Agreement should only be filled out in those annex that relates to those respective transfers for their part.
The annex should include the list of intended sub-processors (including, per each, their location, the processing operation(s), and type of safeguards they have implemented).
Additional requirements for onward transfers
The importer must be required to notify the data exporter of onward transfers.
The onward transferee must sign the right module of clauses or an agreement imposing the same obligations as those included in the draft SCCs between the data exporter and the data importer.
The onward transferee also must assess whether it is able to comply with the obligations set out by the draft SCCs under the third country law applicable to this third party and, where necessary, to implement supplementary measures to ensure a level of protection essentially equivalent to the one required in the EEA.
The data importer should provide data subjects with a copy of the safeguards implemented for the onward transfer, upon request.
The Commission should clarify that consent of the data subject could, as an exception, frame the onward transfers only if other mechanisms listed in the draft SCCs cannot be relied upon.
Also, the Commission should assess the possibility of onward transfers in particular for the establishment, exercise or defense of legal claims, and to protect the vital interests of the data subject or of other persons.
Requirements regarding data processor retention of information
Deletion or return of information should be at the choice of the controller, not the processor. A processor may retain the data if required by law but only if such law respects the essence of the fundamental rights and freedoms and does not exceed what is necessary and proportionate in a democratic society. Specific data retention periods required by law should be set forth in the annex.
If the processor keeps the data due to a legal obligation, it must continue to provide the protection given by the draft SCCs fully and without exceptions, to allow for the continuity of the protection.
Audit, instructions and additional provisions
The processor may propose an independent auditor but the decision about the auditor must be left to the controller.
The clauses should clarify how a controller can give additional instructions (on top of what is in the contract).
The clauses should be supplemented to include all provisions in Article 28 of the GDPR (e.g. personnel subject to an obligation of confidentiality, data breach notification etc).
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia