In November 2020, the European Commission released a new set of standard contractual clauses (SCCs) for cross-border transfers of personal data for public consultation. Under Article 46(2)(c) GDPR, international data transfers may be justified by concluding SCCs between data exporters in the EU/EEA and data importers in so-called 'third countries' outside the EU/EEA.
In light of the recent CJEU Schrems II judgement, which led to the annulment of the EU-US Privacy Shield, SCCs are bound to play an even bigger role in legitimising international data transfers but the current ones have been around since 2001/2004 (for controller-to-controller transfers) and 2010 (for controller-to-processor transfers) respectively. Given they pre-date the GDPR as well as the Schrems II judgement and the subsequent EDPB guidance, they are overdue an update.
The much-anticipated drafts published by the Commission take a different approach from the current clauses and include a range of new functionalities. They also leave some issues up for discussion.
Flexibility through modularity?
One major shift lies in the new modular system adopted by the draft SCCs: they provide for tailored clauses depending on the roles of the parties in a specific case. Parties can choose between four modules reflecting contractual combinations: controller-controller, controller-processor, processor-processor and processor-controller.
Controller-Controller and Controller-Processor transfers (Modules 1 and 2)
The current sets of SCCs already address these constellations. The new SCCs bring them in line with the requirements under the GDPR and clarify the respective obligations by imposing specific duties on the parties. In particular, the new SCCs include, within the controller-processor module, the requirement for a data processing agreement under Article 28(3) GDPR, helpfully removing the need to conclude an additional agreement.
Processor-Processor transfers (Module 3)
The new SCCs include a module specific to transfers between processors. One of the most pressing issues with the current SCCs was the lack of a set of clauses to cover this common processing arrangement. Like the controller-processor module, this module eliminates the need for a further agreement under Article 28(3) GDPR between processor and sub-processor and finally puts such transfers on a clear legal basis.
Having said that, the set-up of the module does not seem very practical for complex multi-party situations: Annex I.A. seems to require the controller to be a party to the SCCs between the processor and the sub-processor. From a practical standpoint, a mere obligation to identify the controller would be preferable.
Processor-Controller transfers (Module 4)
Interestingly, the draft SCCs also include a module specific to situations in which data controlled by a third country entity which is not subject to the GDPR is exported by an EU-based processor to the third country data controller. However, the exact scope of application of this formation remains unclear. So far, views differ as to whether such a transfer should even be considered a cross-border transfer within the meaning of Article 44 GDPR as these data transfers between controller and processor do not need to be justified separately.
Even if respective SCCs were deemed required for such processor-controller transfers, the requirements set out in the new SCCs seem odd. The Article 28 GDPR data processing agreement definitely required in controller-processor relationships is not included in Module 4 of the new SCCs. In addition, Module 4 will make it harder for EU-based processors to sell their services to third country controllers, as the SCCs will subject the third country controller to quite strict obligations to which they might not othwerwise be subject.
Schrems II implications
Clauses 2 and 3 of Section II include safeguards to take account of the CJEU's ruling in Schrems II and should be read in conjunction with the EDPB Recommendations on supplementary measures when transferring personal data to third countries (see more here). They apply to Modules 1-3, as well as to Module 4 in the case of the exporter combining the data received from the third country controller with data collected in the EU.
Transfer Impact Assessment
Under clause 2(a), all parties are required to warrant "that they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses".
In conjunction with clauses 2(b)-(d), this provides for a mandatory Transfer Impact Assessment (TIA), whereby the parties must assess the privacy risks of the data transfer taking into account the local laws and regulatory practice applicable to the importer, document such assessment and provide it to the competent supervisory authority when asked to do so.
The joint opinion of the EDPB and EDPS on the new SCCs stresses that such an assessment must be based on objective factors, leaving little room for factors such as the likelihood of a request in a specific case. For transfers to the US, the TIA will consequently have to consider the wide-reaching access rights of US authorities under the Foreign Intelligence Surveillance Act (FISA) and the US Executive Order 12333 and – to the extent these stipulations apply to the data importer – will make it difficult for the parties to simply sign the new SCCs without taking further steps to protect the data.
Contractual safeguards against law enforcement access requests
Clause 3 of section II provides for detailed rules in the event that a public authority requests the disclosure of transferred data from the data importer. The importer is mandated to "promptly notify the data exporter and, where possible, the data subject" if a binding request by a public authority is received, including all relevant information available on the details of the request.
In its second part, clause 3 places extensive obligations on the data importer to take all steps possible to avoid a disclosure of transferred data in the event of a binding request. The importer has to conduct a legal assessment and, potentially, use the available legal remedies to challenge the request. The legal assessment must be documented and made available to the data exporter as well as to the competent data protection supervisory authority where permissible. In addition, the importer must only disclose the minimal amount of data necessary "based on a reasonable interpretation of the request".
The contractual safeguards mentioned in clause 3 are similar to the ones data exporters have (tried to) negotiate with data importers following the Schrems II decision. As the new SCCs will need to be concluded 'as is', burdensome negotiations with respect to the provision of these protections against law enforcement access requests will likely fall away in future.
Other key issues
Hierarchy and liability
Clause 4 of section I contains a clear rule on hierarchy, stipulating a general precedence of the SCCs: "In the event of a conflict between these Clauses and the provisions of any other agreement between the Parties existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail." This is of particular relevance in relation to Clause 7 of Section II, which contains modular rules on liability, generally establishing uncapped liability of both parties. As the SCCs take precedence, it is difficult for the parties to deviate from (and limit) the data transfer-related liability in their commercial agreement.
Third party accession
Clause 6 of section I includes a novel docking clause, enabling third parties to accede to the SCCs as a data exporter or importer without the need to conclude separate contracts. Under this instrument, the application of the SCCs and thus the legitimacy of data transfers is more easily expandable and so more manageable in practice.
Termination of the contract
Section III includes a clause on the termination of the contract where the data importer is unable to comply with the SCCs for whatever reason, which includes cases in which the inability to comply is caused by governmental action in the third country.
Choice of law
Finally, in contrast to the current SCCs, the governing laws and competent courts under the contract can be chosen by the parties and can be those of any EU Member State, providing additional flexibility. The competent supervisory authority, however, will generally remain the authority competent for the data exporter.
Next steps
The new SCCs are expected to be published in the second quarter of 2021. Once published, they will need to be entered into to cover new transfers, and the former sets of SCCs can no longer be used. With respect to contracts concluded before such date, there will be a grace period of one year.
Within that time frame, existing SCCs will need to be replaced. Due to the mandatory transfer impact assessment which needs to be carried out before entering into the new SCCs, 2021 will once again be a busy year for privacy experts.
