In November 2020, the European Commission released a new set of standard contractual clauses (SCCs) for cross-border transfers of personal data for public consultation. Under Article 46 (2) (c) GDPR, international data transfers may be justified by concluding such SCCs between data exporters in the EU/EEA and data importers in so-called "third countries" outside the EU/EEA. In light of the recent Schrems II judgement of the European Court of Justice (Case C-311/18), leading to the annulment of the EU-US Privacy Shield by the Court, SCCs are bound to play an even bigger role in legitimizing international data transfers.
The current sets of SCCs have been around since 2001/2004 (for controller-to-controller transfers) and 2010 (for controller-to-processor transfers) respectively. Events such as the adoption of the GDPR, or, more recently, the Schrems II judgement and the following guidance published by the European Data Protection Board (EDPB) have warranted for an update of the current SCCs. The draft published by the Commission takes up a different approach than the current clauses, taking into account some of the recent developments and including a range of new functionalities. Nevertheless, it also leaves some issues up for discussion.
Flexibility through Modularity?
One major shift lies in the new modular system adopted by the draft SCCs: they provide for tailored clauses depending on the roles of the parties in a specific case. Parties can choose between four modules regulating the respective contractual combinations: controller-controller, controller-processor, processor-processor and processor-controller.
1. Controller-Controller and Controller-Processor Transfers (Modules 1 and 2)
The current sets of SCCs already address these constellations. The new SCCs bring them in line with the requirements under the GDPR and clarify the respective obligations by imposing specific duties on the parties. In particular, the new SCCs fulfil, within their controller-processor module, the requirements for a data processing agreement under Article 28 (3) GDPR, thus eliminating the need of concluding an additional agreement besides the SCCs.
2. Processor-Processor Transfers (Module 3)
The new SCCs include a module specific to a transfer between data processors, something that while very relevant in practice had not been covered by the current SCCs, leading to difficulties in the treatment of complex processing chains. Like the controller-processor module, the module eliminates the need for a further agreement under Article 28 (3) GDPR between processor and sub-processor and finally puts such transfers on a clear legal basis.
However, the set-up of the module does not seem very practical for complex multi-party situations: Annex I.A. seems to request that the Controller always becomes a party to the SCCs between the processor and the sub-processor. From a practical standpoint, a mere obligation to mention the controller's identity would be preferable.
3. Processor-Controller Transfers (Module 4)
Interestingly, the draft SCCs also include a module specific to situations in which data controlled by a third-country entity is exported by an EU-based processor to such third country data controller. However, the exact scope of application of this constellation remains unclear. So far, views differ as to whether such a transfer should even be considered a cross-border transfer within the meaning of Article 44 GDPR, as the data transfers between controller and processor are generally privileged and do not need to be justified separately.
Even if respective SCCs were deemed required for processor-controller transfers, the requirements set out in the new SCCs seem odd: The Article 28 GDPR data processing agreement definitely required in controller-processor relationships is not contained in Module 4 of the new SCCs. Furthermore, Module 4 will make it harder for EU-based processors to sell their services to third country controllers, as the SCCs will subject the third country controller to quite strict obligations despite the fact that the GDPR is not applicable to it.
Schrems II Implications
Clauses 2 and 3 of Section II include safeguards owed to the CJEU's findings in Schrems II and should be read in conjunction with the EDPB Recommendations on supplementary measures when transferring personal data to third countries. They apply to Modules 1-3, as well as to Module 4 in the case of the exporter combining the data received from the third-country controller with data collected in the EU.
Transfer Impact Assessment
Under Clause 2, paragraph (a), all parties are required to warrant "that they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses."
In conjunction with Clause 2, paragraphs (b) to (d) this provides for a mandatory Transfer Impact Assessment (TIA), whereby the parties must assess the data transfer on the basis of the local laws and regulatory practice applicable to the importer, document such assessment and provide it to the competent supervisory authority when asked to do so. The purpose of this obligation lies in sensitizing the parties for existing and potential privacy risks arising out of such regulation.
The joint opinion of the EDPB and EDPS on the new SCCs stresses that such an assessment must be based on objective factors, thus leaving little room for factors such as the likelihood of a request in a specific case. For transfers to the US, the TIA will thus have to consider the wide-reaching access possibilities of US authorities under the Foreign Intelligence Surveillance Act (FISA) and the US Executive Order 12333 and - to the extent these stipulations apply to the data importer - will make it difficult for the parties to simply sign the new SCC without further ado.
Contractual safeguards against law enforcement access requests
Clause 3 of Section II provides for detailed rules in the event that a public authority requests the disclosure of transferred data from the data importer. The importer is mandated to "promptly notify the data exporter and, where possible, the data subject" if a binding request by a public authority is received, including all relevant information available on the details of the request.
In its second part, Clause 3 extensively obligates the data importer to take all steps possible to avoid a disclosure of transferred data in the case of a binding request. The importer has to conduct a legal assessment and, if sufficiently promising, use the available legal remedies to challenge the request. The legal assessment must be documented and made available to the data exporter as well as the competent data protection supervisory authority where permissible. In addition, the importer shall only disclose the minimal amount of data necessary "based on a reasonable interpretation of the request".
The contractual safeguards mentioned in Clause 3 are similar to the ones data exporters have (tried to) negotiate with data importers following the Schrems II decision. As the new SCCs will need to be concluded "as is", burdensome negotiations with respect to the provision of these protections against law enforcement access requests will likely fall away in future.
Other Key Issues
Hierarchy and Liability
Clause 4 of Section I contains a clear rule on hierarchy, stipulating a general precedence of the SCCs: "In the event of a conflict between these Clauses and the provisions of any other agreement between the Parties existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail." This is of particular relevance in relation to Clause 7 of Section II, which contains modular rules on liability, generally establishing uncapped liability of both parties. As the SCCs take precedence, it is difficult for the parties to deviate from (and limit) the data transfer related liability in their commercial agreement.
Third Party Accession
Clause 6 of Section I includes a novel docking clause, enabling third parties to accede to the SCCs as a data exporter or importer, without the need of concluding separate contracts. Under this instrument, the application of the SCCs and thus the legitimacy of data transfers is more easily expandable and thus more manageable in practice.
Termination of the Contract
Section III includes a clause on the termination of the contract in case of the data importer not being able to comply with the SCCs for whatever reason, which includes cases in which the inability to comply is caused by governmental action in the third country.
Choice of Law
Finally, in contrast to the current SCCs, the governing laws and competent courts under the contract can be chosen by the parties and might be those of any EU member state, providing for additional flexibility in this regard. The competent supervisory authority, however, will generally remain the authority competent for the data exporter.
The new SCCs are expected to be published in the second quarter of 2021; once published, they will need to be concluded for any new transfers taking place, and the former sets of SCCs can no longer be used. With respect to contracts concluded before such date, a grace period of one year is established - within that time frame, existing SCCs will need to be replaced. Due to the mandatory transfer impact assessment to be conducted when concluding the new SCCs, 2021 will be - once again - a busy year for privacy experts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.