Other Authors Alistair Ho, Trainee Solicitor
On 12 November, the European Commission published draft standard contractual clauses for transfers of personal data from the European Union to third countries ("New SCCs").
Once approved, the New SCCs will replace the previous standard contractual clauses which pre-date the implementation of the General Data Protection Regulation 2016/679 ("GDPR"). The draft New SCCs are open to consultation until 10 December 2020. It is expected that they will be adopted by the European Commission at the beginning of 2021.
As a result of the New SCCs and other recent developments discussed below, businesses will need to undertake a remediation project to assess their data transfer arrangements. At the very least, businesses currently using the existing standard contractual clauses will need to replace these with the New SCCs within a year from their adoption in order to continue making international transfers of personal data to affiliates and third parties located outside of the European Economic Area ("EEA") in compliance with the GDPR. Many businesses will need to supplement the New SCCs with additional security measures, or if they determine standard contractual clauses are no longer an appropriate transfer mechanism, review if and how they can continue to transfer the personal data they currently transfer, or intend to transfer.
The New SCCs are heavily influenced by the recent decisions of the European Court of Justice ("CJEU"), which struck down the EU-US Privacy Shield and brought into question reliance on the current standard contractual clauses for international transfers of personal data to third countries with contradicting local laws. They also implement a number of suggestions from a range of recent European Data Protection Board ("EDPB") guidance / recommendations, such as that on the concepts of controller, joint controller and processors (07/2020), supplementary measures for personal data transfer tools (01/2020) and the European Essential Guarantees for surveillance measures (02/2020).
Based on the draft implementing decisionof the European Commission ("Draft Implementing Decision"), businesses will have twelve months from the date the New SCCs enter into force to replace any existing standard contractual clauses currently being relied upon for the performance of a contract concluded between them before that date, provided the contracts remain unchanged. Where contracts containing the old standard contractual clauses are amended before this date, businesses lose the benefit of the twelve month grace period unless these changes are to introduce the additional safeguards required by recent CJEU decisions and EDPB guidance. Section I, Clause 4 of the New SCCs states that where there is a conflict between the clauses and "any other agreement between the parties", whether existing at the time the New SCCs are agreed or entered into thereafter, the New SCCs will prevail.
Modular and flexible
The current standard contractual clauses only envisage use by data exporters that are controllers within the EU. The 28-page New SCCs use a modular approach where specific sets of clauses can be used not only for controller-to-controller and controller-to-processor transfers, but also for processor-to-processor and processor-to-controller personal data transfers.
As well as providing appropriate safeguards within the meaning of Article 46(1) and 46(2)(c) of the GDPR, the New SCCs also set out the rights and obligations of controllers and processors with respect to matters referred to in Article 28(3) and (4) of the GDPR. This will mean that, where controller to processor or processor to processor module New SCCs are used, a separate data processing agreement will not be required anymore.
The New SCCs now contain an optional "docking clause", whereby new parties may accede to the New SCCs, either as a data exporter or a data importer, at any time by way of executing a specific Annex, and with the agreement of the parties to the contract. It is not clear how existing parties would give agreement and the clause's use may be tempered by the practicalities of having multiple parties agree to accession by new controllers/processors.
The New SCCs are split into three sections:
- Introductory clauses: purpose and scope, third party beneficiaries, interpretation, hierarchy, description of transfers, and the optional "docking clause" mentioned above.
- Modular obligations of the parties, depending on the specific transfer scenario.
- Final clauses: non-compliance and termination, governing law, choice of forum and jurisdiction.
Annex I of the New SCCs contains: (a) list of parties; and (b) description of the transfer.
Annex II of the New SCCs contains a description of the technical and organisational measures to ensure the security of the data.
Processor to processor transfers
One module of the New SCCs relates to processor to processor transfers. It introduces obligations on the sub-processor, which see it accountable for certain notices and assistance obligations directly to the controller. For instance, the controller may give further documented processing instructions directly to the sub-processor and has the right to audit the sub-processor.
Currently, most controller-to-processor data processing arrangements usually require processor to sub-processor contracts to mirror the relevant rights and obligations stipulated in the original arrangement; this means that controllers rely on processors to supervise their sub-processors' data processing activities. The introduction of direct accountability of sub-processors to controllers brings the New SCCs in line with the transparency and accountability obligations of the GDPR. While this may allow greater expediency and efficiency, it may also cause duplication, and confusion as to which party – the controller or the processor – shall be responsible for supervising the sub-processor, which may have an impact on liability in case of a GDPR violation.
Laws applicable to the data importer
At the time of agreeing to the New SCCs, the parties must warrant that they have no reason to believe that the laws applicable to the data importer are not in contradiction with the New SCCs (including any incorporated additional safeguards).
Data importer obligations
The New SCCs include stronger obligations on data importers when faced with a disclosure request for European Union ("EU") originated personal data from public authorities in third countries (Section 2, Clause 2 of the New SCCs). The data importer must:
- notify both the data exporter and data subject, where possible, that it has received a request by a public authority to access personal data. Where the data importer is prohibited from notifying the data exporter and / or data subject, it must use, and document, its best efforts to obtain a waiver of the prohibition with a view to communicate as much information as soon as possible. The New SCCs state that this obligation is separate from the data importer's obligation to notify the data exporter where it cannot comply with the New SCCs (Section 3, Clause 1(a) of the New SCCs); this may result in a situation where data importers are obliged to notify data exporters that they cannot comply with the New SCCs, even if they are unable to notify of the public authority data access request;
- assess the legality of such order by reference to the law in force in the third country and, where it considered it has grounds to challenge the order it must do so;
- seek interim measures, when challenging a request, with a view to suspend the effects of the request until the court has decided on its merits;
- document the legal assessment of the request and any challenges to the request for disclosure and make these available to the competent supervisory authority on request; and
- provide the minimum amount of information permissible when responding to a request of disclosure.
Changes in the law / circumstances
If, after having agreed the New SCCs, the data exporter has reason to believe that the data importer cannot fulfil its obligations under the clauses, whether due to a notification from the data importer, or otherwise, then the data exporter may only continue transferring personal data by implementing additional safeguards where these will allow the data importer to fulfil its obligations under the New SCCs. This is an improvement over the position with the current standard contractual clauses, under which a notification from the data importer of its inability to comply with the clauses would oblige the data exporter to suspend or terminate the transfer of personal data.
If the data exporter decides to continue the transfer based on the assessment that additional measures will allow it to do so, it must notify the relevant supervisory authority and provide full details of the safeguards adopted. If appropriate, these may be adopted in consultation with the competent supervisory authority.
Geography or jurisdiction
Notably, Article 1 of the Draft Implementing Decision states that the New SCCs are applicable for transfers of personal data from a controller or processor subject to the GDPR to a controller or (sub-) processor not subject to the GDPR. The EDPB published detailed guidance on the extraterritorial application of the GDPR in November 2019, which explains when the GDPR applies to businesses outside the EEA.
This has created some confusion about the circumstances in which the New SCCs will need to be used. In theory, this could mean that a transfer of personal data to an organisation which is directly subject to the GDPR (even if it is not located in the EEA) might not be considered a "restricted transfer" subject to Chapter 5 of the GDPR. Such transfers would not, therefore, require the implementation of a Chapter 5 transfer mechanism. This echoes the ICO's guidance on what constitutes a restricted transfer and signifies a movement away from transfer mechanisms being required when personal data leaves the EEA, towards when they leave the jurisdictional scope of the GDPR.
However, Article 44 of the GDPR provides that any transfer of personal data to a third country or to an international organisation shall only take place if the conditions laid down in Chapter 5 of the GDPR are complied with. This seems to be the view of the European Commission, which refers to "personal data transfers to third countries" throughout the Draft Implementing Decision. This creates significant uncertainty as to which approach is intended. Hopefully clarity will be provided in the European Commission's consideration of public feedback.
Recent EDPB recommendations make it clear that standard contractual clauses may not be an appropriate tool for all international transfers of personal data. Businesses must also assess whether supplementary measures need to be taken to protect personal data in the third country (for more information about the assessment required and the supplementary measures see our client alert on the European Data Protection Board's Recommendations 01/2020).
A number of additional contractual measures between the data exporter and the data importer suggested by the guidance have been incorporated into the New SCCs. However, the guidance emphasises that contractual measures cannot necessarily be relied upon to ensure that the transfer meets the essential equivalence standard that the GDPR requires, because they do not bind the authorities of the third country. Furthermore, the Draft Implementing Decision references the EDPB recommendations, thereby deferring to the types of measures the board suggests. As a result, businesses will need to consider these alongside the New SCCS.
If businesses are planning to rely on the New SCCs for international transfers of personal data, they must assess whether relying on the New SCCs is effective in light of all circumstances of the transfer. This includes determining if there is anything in the domestic legal order of the jurisdiction to which data is transferred that may impinge on the effectiveness of the appropriate safeguards for the specific transfer, for which the EDPB recommends referring to its European Essential Guarantees. If it is determined that the New SCCs are not appropriate on their own, businesses will then need to consider if any supplementary, in particular, technical measures are available which, when supplemented to the New SCCs, could ensure that the transferred data is afforded the level of protection required under the GDPR.
UK and Brexit
The ICO has stated that it is reviewing the New SCCs. Although the UK had committed to upholding the current standard contractual clauses, it is unclear whether it intends to adopt the New SCCs, which will likely be adopted by the European Commission after the end of the Brexit transition period. If the New SCCs are not adopted by the UK, the ICO may publish its own version of UK GDPR standard contractual clauses. Otherwise, or until which, UK data exporters will be able to continue relying on the current standard contractual clauses for restricted transfers outside of the UK.
The European Commission is currently carrying out an adequacy assessment of the UK and is aiming to make a decision by 31 December 2020. If the UK secures an adequacy decision from the European Commission, when the Brexit transition period ends, transfers of personal data from the EEA to the UK will be able to continue as they do currently, i.e. as if the UK were still an EU Member State.
In the absence of an adequacy decision by the European Commission, when the transition period ends, the GDPR rules for international personal data transfers will apply to any data coming from the EEA into the UK. With the exception of personal data governed by Article 71(1) of the Brexit Withdrawal Agreement (e.g. data processed under EU law before the end of the Brexit transition period), it would be necessary to have an appropriate transfer mechanism, such as the New SCCs (and supplementary measures, if applicable), in place to transfer personal data from the EEA to the UK.
The UK Government has stated that personal data transfers from the UK to the EEA will be permitted after the Brexit transition period has ended. This should mean that no new arrangements will be needed for transfers from the UK to the EEA.