EU: New draft SCCs from the Commission
Following the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) ('the Schrems II Case'), the future of Standard Contractual Clauses ('SCCs') had very much hung in the balance. The issuance of new SCCs by the European Commission ('the Commission') then shines some light on a way forward for international data transfers. David Dumont and Laura Léonard, Partner and Associate respectively at Hunton Andrews Kurth LLP, break down some key points from this development and what comes next.
On 12 November 2020, the Commission published draft implementing decision on SCCs for the transfer of personal data to third countries pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')1, along with its draft set of new SCCs2.
Under the GDPR, transfers of personal data to countries outside the European Economic Area ('EEA') that have not been formally recognised by the Commission as providing an adequate level of data protection can generally only take place if appropriate safeguards have been implemented to ensure an adequate level of protection for the data after it has left the EEA. Article 46 of the GDPR sets forth a number of tools that companies can rely on to ensure that such safeguards are in place, including SCCs adopted by the Commission.
The current sets of SCCs were adopted by the Commission under the EU Data Protection Directive (Directive 95/46/EC), the predecessor to the GDPR. Therefore, there was an urgent need to update the existing clauses. In addition, the Commission aimed to address a number of issues raised by the CJEU in the ruling in the Schrems II Case with respect to the protection afforded to personal data transferred from the EEA to third countries (including the US). Following the Schrems II Case, data exporters in the EEA relying on one of the transfer mechanisms recognised under Article 46 of the GDPR, such as SCCs, are expected to assess, on a case-by-case basis, whether the law of, or practices in, the data importer's country may impinge on the effectiveness of the transfer mechanism they are relying on. If so, data exporters need to assess whether they can implement supplementary measures to ensure a level of protection for the personal data that is essentially equivalent to the EEA's protections.
Key takeaways from the new SCCs
Modular approach to accommodate diversity of transfer scenarios
Currently, there are three sets of SCCs, covering two main data transfer scenarios - i.e. two sets for data flows from a controller in the EEA to another controller outside the EEA, and one set of SCCs for transfers between an EEA controller and a processor recipient outside the EEA. Instead of releasing several new sets of SCCs, the Commission seeks to accommodate the complexity of modern data processing chains by combining a number of general clauses applying in all transfer scenarios with modular clauses that should be selected based on the role of the parties. The modular clauses cover a wide range of data transfer scenarios, namely controller-to-controller transfers, controller-to-processor transfers, processor-to-processor transfers, and processor-to-controller transfers.
The general clauses provide, among other things, obligations for the parties with respect to government access requests and obligations in the event that the data importer is unable to comply with the SCCs. Furthermore, the general clauses address issues such as a redress mechanism for data subjects, indemnification in the event of a breach of the SCCs, supervision of transfers by data protection authorities, termination of the SCCs, and governing law and the choice of forum and jurisdiction in the event of a dispute arising from the SCCs.
In addition to the general clauses, controllers and processors must select and incorporate the modular clauses that are relevant to the transfer scenario in question. Depending on the data exporters' and importers' categorisation as controller or processor, the modular clauses include language regarding:
- the data protection safeguards that must be implemented by the parties;
- appointment of sub-processors in the context of controller-to-processor and processor-to-processor transfers;
- data subject rights and the parties' obligations in the event of a data subject rights request; and
- the respective parties' liability.
As well as the main body of the clauses, there are a number of detailed Annexes to the SCCs. In Annex I, the parties must include a description of the transfers and list the parties to the clauses. Annex II must be completed by the data importer(s) to include a description of the technical and organisational measures implemented to ensure an appropriate level of security for the transferred data. Finally, Annex III requires the listing of any sub-processors that are involved in the processing of the transferred data.
According to the Commission, the SCCs may be incorporated into a broader contract and accompanied by additional clauses or safeguards, provided that these clauses or safeguards do not directly or indirectly contradict the SCCs or prejudice data subjects' fundamental rights or freedoms.
Organisations in the EEA are encouraged to implement additional contractual safeguards that supplement the SCCs. In doing so, controllers and processors must take into account the recent recommendations of the European Data Protection Board ('EDPB') regarding supplementary measures in the context of international transfer safeguards such as SCCs3 and the recommendations on the European Essential Guarantees for surveillance measures4.
Broader scope to reflect the GDPR's extraterritorial reach
The new SCCs provide more flexibility for situations where the 'data exporter' subject to the GDPR is not established in the EEA. This is a welcome improvement for organisations established outside the EEA that are caught by the GDPR's extraterritorial reach under Article 3(2) and currently have very limited tools to ensure compliance with their obligations under Chapter V of the GDPR.
The Commission has addressed this issue by allowing parties to choose the applicable governing law either the law of the Member State in which the data exporter is located or, alternatively, the law of one of the Member States of the EU provided that it allows for third-party beneficiary rights. This second option makes it possible for non-EEA exporters to rely on the SCCs as a data transfer mechanism. The current sets of SCCs require the data exporter(s) to be located in the EEA, making it impossible for non-EEA exporters to rely on them.
More flexibility to facilitate use of SCCs in complex and constantly evolving relationships
The EU Commission also aims to facilitate the use of SCCs as a data transfer mechanism in complex, multiparty, and constantly evolving international relationships. While the existing sets of SCCs were designed for more traditional one-to-one relationships, the new SCCs clearly contemplate situations where multiple parties are involved on the data exporter and/or data importer side. Furthermore, the new SCCs provide an optional 'docking clause' (see Section I of the SCCs) to accommodate the accession of additional parties during the life cycle of the contract.
Clauses to reflect strengthened data protection framework under the GDPR
The new SCCs reflect the data protection principles and requirements set forth in the GDPR. In light of this, the modular clauses (see Section II of the SCCs) include:
- (where appropriate) safeguards relating to the data exporter's instructions for the transfer;
- purpose limitation;
- data minimisation;
- storage limitation;
- erasure and return of data;
- transfer of sensitive data and data relating to criminal convictions or offences;
- onward transfers;
- accountability obligations of the parties;
- appointment of sub-processors (for controller-to-processor and processor-to-processor transfers);
- data subject rights; and
- the parties' obligations in the event of a data subject rights request.
Furthermore, the modular clauses to be included in SCCs with processors reflect the data protection obligations that must be included in data processing agreements pursuant to Article 28 of the GDPR. This resolves the current situation in which data exporters must supplement the current set of controller-to-processor SCCs with provisions that are necessary to meet the requirements under Article 28. That said, the fact that the content of the modular clauses and the obligations imposed on processor(s) under the SCCs cannot be modified, may lead to more pushback in negotiating obligations that go beyond those in the SCCs (for example, obligations and liabilities relating to data breaches).
It also interesting to note that the data processing terms included in the new SCCs are somewhat minimalist in comparison to the detailed approach recommended by the EDPB in its guidelines on the concepts of controller and processor5. For example, while the data processing terms included in the new SCCs generally reflect the requirements of Article 28 of the GDPR, the EDPB took the view that data processing agreements should contain specific details of how the processor will assist the controller in meeting its obligations under the GDPR (including with respect to notifying data breaches and carrying out Data Protection Impact Assessments).
Specific clauses to accommodate Schrems II concerns
The new SCCs include clauses that are specifically designed to address the ruling of the CJEU in the Schrems II Case (see Section II of the SCCs), including an obligation to conduct and document a transfer risk assessment and to make it available to data protection authorities upon request. The new SCCs also impose extensive obligations for the data importer in relation to government access requests, including a requirement to notify the data exporter of such requests, review the legality of the request, and ensure that only the minimum amount of information required under applicable law is provided in response to such request.
With respect to the transfer risk assessment (required following the Schrems II ruling), the draft implementing decision of the Commission provides that organisations should take into account the specific circumstances of the transfer, including subjective factors such as the likelihood of the data importer receiving an access request from public authorities. This seems to be somewhat different from the position taken by the EDPB in its recent recommendations regarding supplementary measures. According to the EDPB, organisations should focus on objective factors when assessing the impact of the law and practices in the data importer's jurisdiction on the effectiveness of the safeguards provided in the SCCs. The EDPB cautions against reliance on subjective factors such as the practical likelihood of public authorities actually accessing the transferred data in a manner that is inconsistent with EU standards. Both the EDPB recommendations on supplementary measures and the Commission's implementing decision are open for public consultation - it remains to be seen whether they decide to further align on this point.
More comprehensive requirements around onward transfers
Onward transfers to additional recipients in third countries are subject to more prescriptive requirements under the new SCCs. In general, these transfers will be allowed if:
- the recipient accedes to the SCCs;
- protection of the personal data transferred is ensured by other means; or
- data subjects have provided their informed and explicit consent.
In addition, the modular clauses applicable to processor-to-processor transfers (see Section II of the SCCs) impose certain obligations on the data importer that ultimately may require direct interaction with the data controller that initially provided the data exporter with the relevant personal data. For example, the data importer must inform and cooperate with the data exporter and the initial data controller when it becomes aware that personal data transferred or received is inaccurate. In the event of a breach, the data importer must notify the data exporter and the data controller. In addition, data importers must make available to the data exporter and the data controller all information necessary to demonstrate compliance with the SCCs and allow for and contribute to audits organised by the data exporter and/or the data controller. Further, if the data importer wishes to appoint a sub-processor, it must either inform the data controller prior to such appointment (where the parties opted to include a general written authorisation for the use of sub-processors) or obtain the data controller's written authorisation (where the parties opted for a specific prior authorisation). These obligations will have to be carefully considered by data processors and may prove particularly challenging when dealing with complex processing chains, where there is no direct link between the data controller and the sub-processor(s) receiving the data under the processor-to-processor SCCs.
The new SCCs are open for public consultation until 10 December 2020, and feedback may be submitted here. The final draft SCCs incorporating the feedback from the public consultation are expected to be published by the EU Commission by the end of 2020.
The adoption process for the SCCs requires an opinion of the EDPB and the European Data Protection Supervisor ('EDPS'). The SCCs must also be reviewed by representatives of each EU Member State and approved through the comitology procedure. This process is expected to be completed by early 2021.
The new SCCs will likely not be adopted before the end of the Brexit transition period on 31 December 2020. If that is the case, the new SCCs will not constitute 'retained EU law' and will not automatically be available in the UK. It is expected that the UK will promptly implement a similar or alternative transfer mechanism, but companies in the UK will not immediately be able to rely on the new SCCs to transfer personal data to third countries.
After the adoption of the SCCs, controllers and processors will be able to continue to rely on the existing sets of SCCs during a transitional period of one year, provided that the contract between them remains unchanged, apart from the inclusion of necessary supplementary clauses to ensure that the transfer of personal data is subject to appropriate safeguards as required by the CJEU's judgment in the Schrems II Case.
1. See the EU Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.)
2. See Annex to the EU Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (see Ibid.).
3. See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (available at: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en).
4. See Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (available at: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en).
5. See the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR - version for public consultation (available at: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en).