What's the issue?
Standard Contractual Clauses (SCCs) are one of the key methods under the GDPR of legitimising cross-border transfers of personal data from the EEA to third countries which do not benefit from an EU adequacy decision. While always a popular choice due to the relative ease of putting them in place, the original versions did not cover the full range of data journey relationships and were put in place before the GDPR and the CJEU Schrems decisions which changed the data exports landscape.
In June 2021, the EC published updated modular SCCs which not only reflect current EU law, but provide greater flexibility in terms of capturing the relationships between importers and exporters, allowing multiple parties, and providing a docking clause which allows parties to accede to clauses.
The UK's international data transfer addendum to the EC's standard contractual clauses (Addendum) is designed to be appended to the EU SCCs and essentially incorporates them.
What's the development?
Following stakeholder feedback, the EC has published a set of Q&As on the new SCCs. These are intended to be dynamic and will be added to as further questions arise.
What does this mean for you?
The Q&As are useful as a quick reference to address some of the newer aspects for those used to the old SCCs. They are helpful on issues of incorporation and formalities, although the processes for adding on parties to existing SCCs look more labour intensive than might previously have been assumed.
One of the more novel aspects of the SCCs is Module 4 which applies to processing operations between a processor subject to the GDPR, transferring data to a third country controller not subject to the GDPR. Question 30 looks at the scenarios in which Module 4 might be used – something which was not entirely obvious on the face of the SCCs. In answering Q30, the Commission says Module 4 should be used "where a processor in the EEA is hired by a controller outside the EEA, either to collect data in the EEA on behalf of the controller, or to process data received from the controller in the EEA. In those cases, the SCCs can be used by the processor to transfer the data (back) to its controller".
The first example scenario given in the Q&As suggests Module 4 can be used when the processor combines imported non-EU data with EU data it processes as a processor acting for the importing controller, and then exports it in aggregated form back to the controller. We could envisage this being useful in, for example, some clinical trials where there is a non-EU sponsor.
The second situation mentioned is where a third country controller uses an EU cloud service provider to store its customer database. This makes sense where the database includes EU customer data. If however, there is no EU data, it seems unlikely that a controller not otherwise subject to the GDPR, would engage an EU processor in the first place as it would then bring itself into scope of the GDPR transfer requirements unnecessarily. Though Module 4 does not contain the full set of Article 28 processor clauses, it is hard from a commercial perspective, to envisage this scenario even if it is theoretically possible.
Most notably, the Q&As inevitably fail to tackle the underlying issue with the new SCCs – it is not always possible to protect personal data from disproportionate or unjustified (in the EU's view) access by third country governments.
This point has been underlined by NOYB, the privacy advocacy group set up by Max Schrems. It recently warned that without real legislative change in the US, the planned replacement for the Privacy Shield is unlikely to resolve the issue of potential US government access to EU data. The same principle applies to the SCCs. While a Transfer Impact Assessment (TIA) is required before third country transfers can take place under the SCCs, and supplementary measures can be put in place to address risk, it is challenging to guarantee that these supplementary measures will eliminate risk entirely. The Q&As don't have much to say about the impact of Schrems II beyond that a TIA must be carried out and supplementary measures taken in accordance with the EDPB guidelines.
NOYB has already successfully challenged the use of SCCs and supplementary measures in the context of the use of Google Analytics (GA), with the French and Austrian regulators saying such transfers are unlawful. GA data is transferred under Google-provided SCCs with additional organisational and technical measures, and is hosted in the USA.
The French DPA, the CNIL, recently published a set of Q&As regarding its decisions on Google Analytics and similar tools. Its view is that use of GA (or any similar technology where the data is hosted on servers in third countries which do not adequately protect the data) will result in unlawful data transfers. This will be the case unless the data is encrypted before it leaves the EEA, by an EU data exporter (or other adequate country entity) with exclusive access to the encryption keys, or where a proxy server (which meets the June 2021 EDPS guidelines) is used to avoid direct contact between the internet user's terminal and the importer's servers.
GA data has traditionally been seen as 'low risk' but the CNIL says that the likelihood of data being accessed by third country government agencies is irrelevant. The mere possibility of access is enough to require that access to the data is made impossible or ineffective.
Whether or not the CNIL has gone too far in its assessment will be hotly debated but this illustrates the continuing issue with data transfers from the EEA (and, by extension, the UK) to third countries, including to the USA. While the EC's Q&As on SCCs may help navigate their new structure, they cannot, and do not try to, address the broader issues.
