EU: Reactions to new draft SCCs
In the wake of the European Commission's publication of its long-awaited draft Standard Contractual Clauses ('SCCs') within the Annexes of both its draft Implementing Decision on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ('the Article 46 SCCs') and draft Implementing Decision on Standard Contractual Clauses between Controllers and Processors for the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 ('the Article 28 SCCs'), the public consultations on the same are well underway and due to close on 10 December 2020. This Insight summarises some of the emerging commentary, criticisms and appraisals regarding the new SCCs.
In particular, Article 46(2)(c) of the GDPR outlines that appropriate safeguards for data transfers to third countries may be provided for through standard data protection clauses adopted by the Commission. Notably, the Article 46 SCCs would replace the existing SCCs from 2001, 2004 and 2010 for international transfers outside of the EU as adopted under the Data Protection Directive 95/46 following the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), specifically Article 46(2)(c) of the GDPR, and the Court of Justice of the European Union’s ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II').
Although the Schrems II judgment found SCCs to be a valid mechanism for international data transfers, it provided that additional clarifications needed to be taken into consideration when they are used and thus placed the onus on the data exporters and importers to ensure an adequate level of protection for personal data through third country assessments.
The Article 28 SCCs are intended to outline contracts between controllers and processors under Article 28 (7) of the GDPR and Article 29 (7) of Regulation (EU) 2018/1725 on the Protection of Natural Persons with regard to the Processing of Personal Data by EU Institutions, Bodies, Offices and Agencies and on the Free Movement of such Data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
In the outcome of its 42nd plenary session, the European Data Protection Board ('EDPB') commented that its aim is to ensure full harmonisation and legal certainty across the EU regarding contracts between controllers and their processors. In addition, the EDPB announced that the Commission had requested a joint opinion from the EDPB and the European Data Protection Supervisor ('EDPS') on both new SCCs.
For further information on the SCCs, please see EU: New draft SCCs from the Commission.
Recital 10 of the draft Implementing Decision for the Article 46 SCCs outlines that 'the standard contractual clauses set out in the Annex to this Decision combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains.'
The Article 46 SCCs are divided into the following four distinct modules:
- Transfer controller to controller;
- Transfer controller to processor;
- Transfer processor to processor; and
- Transfer processor to controller.
Where applicable, the SCCs specify how its provisions would apply to each of the relevant modules. The SCCs consist of the following:
- Purpose and scope
- Third party beneficiaries
- Description of the transfer (s)
- Optional – Docking clause
Section II – Obligations of the parties
- Data protection safeguards, according to all four modules
- Local laws affecting compliance with the Clauses, according to all four modules
- Obligations of the data importer in case of government access requests, according to each of the four modules
- Use of sub-processors, according to modules 2 and 3
- Data subject rights, according to all four modules
- Redress, according to modules 1, 2 and 3
- Liability, according to all four modules
Section III – Final provisions
- Non-compliance with the Clauses and termination
- Governing law
- Choice of forum and jurisdiction
Bridget Treacy and Olivia Lee, Partner and Associate, respectively, at Hunton Andrews Kurth LLP, London, told OneTrust DataGuidance, "The modular approach reflects the welcome effort of the Commission to recognize the complex ecosystems of personal data flows. There has been a significant gap in the regime with respect to international transfers made by processors which the new SCCs seek to address. However, the modular approach will also increase the burdens on organizations executing SCCs. All parties will need to determine the particular capacity in which they act for each of their data transfers, and make assessments of the level of protection offered to personal data in the recipient jurisdiction. These requirements are likely to make contractual negotiations with vendors more burdensome, and in some cases organisations will need to scrutinize their international transfers in a manner that may have been avoided in the past. Contractual discussions will likely be further complicated by negotiations over allocation of liability, especially given the potential fines under the GDPR, since the SCCs provide for joint and several liability in some instances. For organizations that have hundreds or thousands of vendors, entering into these kinds of negotiations with respect to SCCs simply may not be possible."
Furthermore, Sonia Cissé and Jean Fau, Counsel and Associate, respectively, at Linklaters LLP, told OneTrust DataGuidance, "The new SCCs will likely provide a flexible and generally business-friendly instrument (provided the draft is effectively adopted without substantial modifications). They definitely constitute a significant step forward on the current SCCs, that are clearly showing their age and do no longer fit all the business challenges faced by companies."
Are the new draft SCCs as you expected?
It has been well-established and discussed that the existing SCCs present various issues when faced with the current nature of international data transfers and have needed to be updated since 2018 when the GDPR came into force. As such, expectations for the content of the new SCCs have been high.
On the one hand, Claire François, Counsel at Hunton Andrews Kurth LLP, told OneTrust DataGuidance, "If they should be welcomed as a real step forward, they do not meet all expectations. For example, with respect to data transfers from controllers to processors and/or processors to processors, it was expected that the SCCs would incorporate all the requirements of Article 28(3) and (4) of the GDPR. According to Clause 1(c) of Section 1 of the SCCs, the SCCs set out appropriate safeguards not only pursuant to the GDPR cross-border data transfer rules (Article 46 GDPR), but also pursuant to Article 28 of the GDPR. However, certain duties of assistance that the processor owes to the controller are not explicitly listed there, such as the obligation to assist the controller in carrying out Data Protection Impact Assessments ('DPIAs') when required, and in consulting the competent EU/EEA data protection authority when the outcome of the DPIA reveals that there is a high risk that cannot be mitigated. Further, the SCCs do not fully take into account the recent Guidelines of the EDPB on the concepts of controller and processor that further specify the obligations laid down in Article 28 of the GDPR. Accordingly, unless the final version of the SCCs is amended in that respect, organisations will have to complete the SCCs for the above-mentioned transfers, and even further detail some of the provisions of the SCCs. This is a missed opportunity in that respect."
Furthermore, Treacy and Lee stated, "There are some additions that appear, at first glance, to be impractical, such as the audit rights over sub-processors that are afforded to controllers under the new provisions. Realistically, these parties are likely to have no, or very little, direct contact. Sub-processors will likely act for hundreds or possibly thousands of ultimate controllers depending on the nature of their business. There are also some areas where additional guidance from the Commission would be of assistance. For example, there is an emphasis on accountability with a requirement that the parties demonstrate their compliance with the SCCs provisions. Guidance as to what appropriate documentation might look like would assist organizations with planning their compliance program, and understanding how this fits with their general accountability obligations under the GDPR."
On the other hand, François continued, "The new SCCs respond to most changes in organisations’ processing activities. The existing SCCs have been often criticised for covering only limited data transfer scenarios, and to require the presence of a controller in the EU, meaning that organisations subject to the GDPR under Article 3(2) (the 'targeting' test) cannot currently execute SCCs. One major development is the possibility for such organisations to execute the new SCCs. It will no longer be necessary to have an establishment in the EU (besides, acting as a controller) in order to execute the new SCCs. Another major development includes a more flexible approach of the SCCs: they cover various data transfer scenarios and take into account evolving business relationships, by introducing an optional 'Docking Clause.' That clause will allow additional controllers and processors to accede to the SCCs as data exporters or importers throughout the life cycle of the agreement to which the SCCs are annexed, without the need to execute new SCCs each time there is another party."
Treacy and Lee further highlighted, "These changes will provide more flexibility for organisations, especially since the new SCCs provide, through the governing law clause, the ability for parties to select either the governing law of the exporter's jurisdiction, or the law of a Member State, provided that it allows third party beneficiary rights. This will enable data exporters that are subject to the GDPR by virtue of Article 3(2) to execute the SCCs, despite not being located in the EU. This is not currently possible under the old SCCs, and is a known gap. However, the days of organisations taking a fairly light touch approach to their SCCs have disappeared and it is clear that they will instead need to understand the detail of their data flows in order to implement the new SCCs, particularly if the SCCs form part of a broader commercial agreement."
The new SCCs have international scope for third countries and organisations offering goods or services to, or monitoring the behaviour of, data subjects within the EU.
François highlighted, "As SCCs are the most common data transfer mechanism, and the new SCCs will repeal the existing sets of SCCs, importers in non-EEA 'inadequate' countries will certainly utilise the new SCCs. In most cases, they will have no choice, pending the implementation of a new Privacy Shield framework. Accordingly, they may be subject to additional obligations under the SCCs."
Beyond this, Treacy and Lee noted, "It is also possible that the numerous other jurisdictions that have implemented GDPR-style data protection laws with data transfer restrictions may also take inspiration from these draft SCCs and consider their own versions. Some may even copy the approach wholesale."
Cissé and Fau recalled, "Given the transfer hypothesis covered by the new SCCs, companies, whether acting as controllers or processors, dealing with European companies will be impacted. In the same way that they have, under certain circumstances, to comply with the GPDR to make business with Europe, they will now have to use these SCCs for fear not be retained as a valuable commercial partner. Also, even for non-EEA jurisdictions, considering the focus of individuals and regulators on data protection, these SCCs constitute a good contractual basis, guaranteeing a certain level of protection that could contribute to the good reputation of a company."
Treacy and Lee also spotlighted the impact of the new SCCs on the UK's exit from the EU: "Otherwise, one of the non-EEA jurisdictions that will be closely watched is the UK. The Brexit implementation period comes to an end on 31 December 2020, and the new SCCs seem unlikely to be formally adopted by then. So, while the UK has made provision for the GDPR to form part of its domestic law from 1 January 2021, meaning that the UK’s data protection regime will be essentially identical to the EU’s at the end of the Brexit transition period on 31 December, from that point the UK will have discretion as to whether it fully aligns itself with the EU approach, including in relation to the new SCCs. In reality, the UK will likely be under pressure to adopt a version that is very similar to the Commission’s draft, particularly if the UK has received an adequacy determination, or remains on its journey towards an adequacy determination."
The relevant implementing decisions directly reference the Schrems II judgment on multiple occasions. For instance, Article 11 of the Article 46 SCCs implementing decision states that, in order to provide appropriate safeguards, the SCCs should ensure that the personal data transferred on that basis are afforded a level of protection essentially equivalent to that which is guaranteed in the EU, further noting the importance of transparency of processing, providing data subjects with a copy of the SCCs, and informing them of any change of purpose and identity of any third party. The SCCs provide for specific safeguards to address any effects of national laws on the data importer's compliance with the SCCs, specifically regarding the handling of binding requests from public authorities in the third country for disclosure of the relevant personal data.
EDPB Chair Andrea Jelinek noted, in the 42nd plenary session outcome, that the SCCs form only part of the compliance puzzle for data exporters, and that the EDPB Recommendations 1/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal datas, released the day before the new draft SCCs, must be implemented in conjunction.
François affirmed, "The new SCCs propose a sort of tool with a methodology to undertake the assessment of the data transfers required by the Schrems II decision. However, it would be naïve to believe that, by executing the new SCCs, the transfers will be Schrems-proofed. The parties must undertake that assessment before entering into the new SCCs, taking into account the specific circumstances of the transfers, the laws of the destination country relevant to the circumstances of transfer, and any additional safeguards. In light of the EDPB’s recent recommendations on supplementary measures, such additional safeguards will have to be implemented in order to mitigate risks of non-compliance, including technical and organizational measures and even additional contractual safeguards. The new SCCs only mirror some of the contractual obligations recommended by the EDPB, and other contractual clauses could be added to that end. SCCs are just standard clauses, i.e., a basis for transferring personal data to third countries.They should not be regarded as sufficient by themselves."
Treacy and Lee concluded, "Even once finalised following consultation, there is nothing to prevent the validity of these SCCs from being called into question in the same way as other transfer mechanisms. If we have learnt anything from the Schrems II judgment, it is that we cannot be complacent with respect to the tools used to transfer data, even where they have been sanctioned by the Commission. They will still be open to challenge. There is some discrepancy in the measures organisations are expected to take under the draft SCCs and the draft EDPB recommendations, with the EDPB setting out substantially more onerous obligations. As a result, we may find that the drafts change as the EDPB and European Commission converge on a common approach."
Looking forward, Cissé and Fau recalled, "The current SCCs are grandfathered for a year but, after that deadline, won’t be considered as an approved transfer mechanism. This means that, in practice, an important amending (or re-contracting) exercise can be expected to take place by 2022."
Amelia Williams Privacy Analyst
Comments provided by:
Bridget Treacy Partner
Hunton Andrews Kurth LLP, London
Olivia Lee Associate
Hunton Andrews Kurth LLP, London
Sonia Cissé Counsel
Jean Fau Associate
Claire François Counsel
Hunton Andrews Kurth LLP, Brussels