22 June 2021
Radar - June 2021 – 1 of 2 Insights
The EC's Standard Contractual Clauses (SCCs) are one of the key mechanisms to legitimise the cross-border transfer of personal data from the EU to third countries which do not benefit from an EU adequacy decision.
SCCs have proved popular over the years (particularly following the collapse of the US Safe Harbor regime which preceded the similarly ill-fated Privacy Shield). However, they have limitations. They are rigid and only apply to controller to controller and controller to processor exports. In addition, they were approved prior to the GDPR and, of course, before the Schrems II decision which changed the landscape for data transfers.
The EC has published new SCCs intended to address these issues and they are much more closely aligned to GDPR requirements, including on the data protection principles, breach reporting, data subject rights, and technical and organisational measures.
As expected, the new SCCs adopt a modular approach (so there is only one set of clauses) and cover processor to processor and the less common processor to controller transfers as well as the traditional terrain of the existing SCCs.
The clauses also allow flexibility on the number of parties and when they can sign up.
In theory, the new clauses also allow additional clauses to be added in provided they don't conflict with the SCCs.
The SCCs take priority over other related agreements. This means, for example, if there is a conflict with a related Data Processing Addendum, the SCCs will prevail.
The parties are liable to each other for any breach of the clauses.
Under the controller to controller and processor to controller modules (1 and 4), the parties have joint and several liability to data subjects.
Under modules 2 and 3 (controller to processor and processor to processor), the data importer is liable to data subjects for material or non-material damage suffered as a breach of the clauses by the importer or its sub-processor(s). The exporter is liable for any material or non-material damages caused by the exporter, the importer or its sub-processor(s). The exporter can recover from the importer or the sub-processors if it is held liable for their actions but was not at fault.
Due to the hierarchy clause, it appears that liability cannot be limited under an additional clause or agreement.
Schrems II and data transfer impact assessments
Clause 14 deals with the issue of local laws which might impact the ability to comply with the SCCs. This takes into account the requirement under the Schrems II judgment that controllers assess on a case by case basis, whether or not the data will receive a level of protection equivalent to that in the EU.
In fact, all parties to the SCCs are required to warrant that they have no reason to believe the laws and practices in the importing country will prevent the data importer from complying with the SCCs.
In addition, the parties must document the assessment process which must be carried out in order to enable them to give the warranty, and make the assessment available to the competent supervisory authority on request. In other words, they must carry out a data transfer impact assessment (DTIA). The assessment is largely risk-based which also means it will, to some extent, be subjective.
There are various obligations on the data importer in case of access or attempted access by public authorities including to notify the exporter, and to investigate the legality of any request and resist it if there are grounds to do so.
The exporter must warrant that it has used reasonable efforts to determine that the importer is able to comply with the SCCs and must suspend any transfers if it becomes aware that it cannot.
What about the UK?
The ICO has said it is working on UK SCCs. Hopefully, the UK will achieve EU adequacy shortly and there will be no need for SCCs for transfers in either direction between the UK and the US. It is however likely that some organisations will need to enter into two sets of SCCs with the UK and EU respectively.
We don't know to what extent the ICO's approach will mirror the EU's and there may be slightly different obligations. The underlying law remains the same though, not least the impact of the Schrems II judgment which also applies in the UK, at least for now.
The new SCCs come into force on 27 June and must be used from three months after adoption for new processing operations. Those using the old SCCs must transfer over to the new ones within 18 months. They cannot, however, be used where a non-EU importer is importing personal data caught by s3(2) GDPR (ie where the personal data is of data subjects in the Union and the processing activities are related to the offering of goods or services to data subjects in the EU, or to the monitoring of their behaviour where that behaviour takes place in the EU).
The new SCCs are certainly more flexible than the current versions, but uncertainties remain, including over the position of joint controllers and transfers by a processor to a new controller.
And of course, the greatest uncertainty is over the Schrems II requirements and whether and what supplementary measures will be required and will prove effective.
The final version of the EDPB Schrems II guidance on supplementary measures is expected shortly and this will continue to be relevant on top of the SCCs or where other transfer mechanisms are used.
The real problem at a big picture level, is that it is not always possible to completely protect transferred data from government access over and above the level in the EU in certain countries, whether the access is overt or covert. This will put the risk-based approach into sharp relief as organisations need to decide how best to cover off risk and comply as far as they are able.