The European Commission has published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.
The new SCCs have been expected for some time in order to address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice’s decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the Joint Opinion (2/2021) of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft SCCs, as well as the EDPB’s draft recommendations on supplementary measures.
The new SCCs repeal and replace the old controller to controller SCCs (Decision 2001/497/EC, as amended) and the controller to processor SCCs (Decision 2010/87/EC). They come into force on 27 June 2021, and companies can use the new SCCs from that date. Alternatively, companies have the option of continuing to execute new contracts using the old SCCs until those SCCs are repealed on 27 September 2021. From that date, all new contracts must be executed using the new SCCs.
Organisations have a total of 18 months from the date the new SCCs come into force (i.e. until 27 December 2022) to replace the old SCCs with the new SCCs (provided the underlying processing operations remain unchanged and the transfer is subject to appropriate safeguards). This will inevitably be an enormous task for many companies, as it will mean repapering legacy contracts.
Scope of the SCCs and the notion of “international transfers”
The new SCCs can be used by non-EU established exporters (as well as by EU exporters) to legitimize transfers of personal data to a processor or controller established in a third country. Non-EU exporters may use the SCCs to the extent that they are subject to the GDPR because the processing relates to the offering of goods or services to EU data subjects or monitoring of their behaviour (pursuant to Article 3(2) of the GDPR).
It is worth noting one anomaly in respect of the scope of the new SCCs. The SCCs cannot be used for data transfers to a data importer outside the EEA who is subject to the GDPR for a given processing activity pursuant to Article 3(2) of the GDPR. This is confirmed by Article 1 and Recital 7 of the Implementing Decision. Article 1 states that: “The standard contractual clauses set out in the Annex… provide appropriate safeguards … for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-) processor whose processing of the data is not subject to that Regulation (data importer)”. Similarly, Recital 7 states that “without prejudice to the interpretation of the notion of international transfer in Regulation (EU) (2016/679). The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.”
The European Commission, on the recommendation of the EDPB and EDPS, included the wording “without prejudice to the interpretation of the notion of international transfers” in Recital 7, in order to distinguish between the scope of the SCCs, and the scope of the notion of transfers. Guidance from the EDPB and/or the European Commission would be welcome on the reason for drawing this distinction, and as to what constitutes an “international data transfer” under Chapter V of the GDPR, in respect of which appropriate safeguards must be put in place. Is it a transfer of data to any data importer outside the EEA, or is it a transfer to a data importer outside the EEA whose processing activities are not subject to the GDPR? The new SCCs imply the latter.
It remains to be seen whether the UK Government will permit UK companies to use the new SCCs to transfer data to a third country. The UK version of the GDPR currently permits data transfers under the old SCCs. The UK supervisory authority, the ICO, has indicated that it will consider if there is any value in the UK recognising the new SCCs.
The SCCs set out in the Annex to the Implementing Decision combine general clauses with a modular approach to cater for four different transfer scenarios. Organisations must identify whether they are a controller or processor and choose the relevant module(s) that apply. The inclusion, for the first time, of SCCs for processor to processor transfers and for processor-controller transfers will be widely welcomed, and will remove the current need to include agency language in data transfer agreements where a processor is acting as a data exporter.
The transfer scenarios include:
- Controller to Controller transfers (Module 1);
- Controller to Processor transfers (Module 2);
- Processor to processor (Module 3), and
- Processor to controller transfers (Module 4).
The clauses in the SCCs cannot be modified. However, as is the case with the old SCCs, parties can include the SCCs in a wider contract and/or add other clauses or additional safeguards, ” provided that they do not contradict, directly or indirectly [the SCCs], or prejudice the fundamental rights and freedoms of data subjects”.
Multi-Party Use & Docking Clause
The SCCs can be used by multiple parties, and contain a new optional ‘docking clause’ which enables new parties to accede to the clauses at any time, either as a data exporter or importer. Clause 7 makes the accession of new parties conditional upon the agreement of the other parties, but does not specify how the existing parties should provide their agreement. The EDPB and EDPS had recommended in their Joint Opinion on the draft SCCs that, in order to avoid any difficulties in practice, the European Commission should clarify whether such agreement must be provided in writing, the deadline, and the information needed before agreeing. Instead, it will be up to the parties themselves to agree on same when negotiating contracts. It is clear at least, once agreement has been reached, parties can accede to the SCCs by completing the Appendix and signing Annex I.A.
Article 28 Clauses
The new SCCs address a gap in the old controller-processor SCCs, by including the obligatory contractual obligations of data processors under Article 28 (3) of the GDPR. Due to the old SCCs being drafted pre-GDPR, they did not address the processor obligations in the GDPR and, over the past 3 years, companies have been adding the Article 28(3) provisions, or referencing them in their SCCs.
Where there is a conflict between the SCCs and the provisions of any related agreements between the parties, existing either at the time the SCCs are entered into, or thereafter, the SCCs shall prevail.
Obligations of the Parties
Section II of the SCCs sets out the obligations of the parties in respect of each of the relevant modules, including obligations in relation to:
- data protection safeguards that must be implemented (such as transparency, data minimisation, storage limitation, security, data breach notifications and onward transfers) (clause 8);
- the appointment of sub-processors in the context of controller-processor and processor-processor transfers (clause 9);
- data subject rights (clause 10);
- redress (clause 11);
- parties’ liability under the SCCs (clause 12) and
- competent supervisory authority (clause 13).
In regard to the transparency requirements, data subjects must be provided, free of charge, with a copy of the SCCs, including the Appendix as completed by the parties, upon request. The parties are permitted to redact any part of the Appendix prior to disclosure to the data subject where necessary to protect business secrets or other confidential information. On request, the parties must provide the data subject with the reasons for the redactions.
The SCCs prohibit onward transfers by the data importer to a third party located outside the EU (including where the third party is located in the same country as the data importer), unless the third party accedes to the SCCs or another exemption applies. Other exemptions that permit onward transfers depend on the applicable module.
In regard to redress, the data importer is obliged to inform data subjects in a transparent and easily accessible manner, through individual notice or on its website, of a contact point authorised to handle complaints. There is also an optional provision for the importer to agree that data subjects may also lodge complaints with an independent dispute resolution body.
The rules on liability between the parties, and with respect to data subjects, largely reflect the joint and several liability provisions that exist in Article 82 of the GDPR.
Local Laws and Obligations
Section III of the SCCs (clauses 14-15), entitled “Local Laws and Obligations in case of access by Public Authorities” takes account of the Schrems II decision. The clauses in this section apply to all four modules (i.e. all transfer scenarios), except in respect of processor to controller transfers, where the EU processor only processes data received the third country controller, and does not combine it with personal data collected by the processor in the EU.
Consider local laws and practices affecting compliance – Clause 14
Clause 14 of the SCCs requires the parties to assess the level of protection of personal data in the third country, and to warrant that they have “no reason to believe the laws and practices in the third country of destination” prevent the data importer from fulfilling its obligations under the SCCs. The parties are obliged to document their assessment, and to make it available to the competent supervisory authority on request.
In assessing the level of protection afforded by the third country and providing the warranty, the parties must take “due account” of: (i) “the specific circumstances of the transfer” (such as the categories and format of the transferred personal data, the sector in which the transfer occurs, and the storage location of the data transferred), (ii) “the laws and practices of the third country of destination”, and (iii) “any relevant contractual, technical or organisational safeguards put in place” to supplement the safeguards in the SCCs.
Despite the EDPB and EDPS stressing that the parties’ assessment “should be based on objective factors” only, a footnote to clause 14 states that the parties’ assessment “may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests”. It therefore seems the parties may take a risk-based approach when assessing whether they can use the SCCs to legitimize their data transfers. However, where the data importer’s practical experience is relied on to conclude that the data importer will not be prevented from complying with the SCCs, it must be supported by other objective elements, such as publicly available information on the existence or absence of requests within the same sector.
The data importer must notify the data exporter if, having agreed to the SCCs, it believes it is no longer able to comply with the SCCs. Following the notification, unless the data exporter can identify appropriate safeguards (such as technical or organisational measures to ensure security and confidentiality), the data exporter must suspend and/or terminate the SCCs. Unlike under the old SCCs, there is no obligation for the data exporter to forward the notification made by the data importer to the competent supervisory authority, where it decides notwithstanding the notification, to continue the transfer or to lift the suspension. This commitment was scrutinised by the European Court of Justice in Schrems II and the EDPB and EDPS recommended that it should be retained in the new SCCs.
Notification and Challenge legality of access by public authorities – Clause 15
In line with the EDPB’s draft recommendations on supplementary measures, clause 15.1 of the SCCs requires the data importer to notify the data exporter and, where possible, the data subject promptly, if it receives a legally binding request from a public authority (including judicial authorities) under the laws of the third country for disclosure of personal data, or becomes aware of any direct access by public authorities to personal data transferred. Where the data importer is prohibited from notifying the data exporter and/or the data subject, the data importer must use its best efforts to obtain a waiver of the prohibition, with a view to notifying the data exporter and/or data subject as soon as possible.
Where permissible under the laws of the third country, the data importer is also required to provide the data exporter with regular transparency reports about any requests received, including the number of requests, type of data requested, requesting authorities, whether requests have been challenged, and the outcome of such challenges.
Again, in line with the EDPB’s draft recommendations on supplementary measures, clause 15.2 of the SCCs requires the data importer to review the legality of any request for disclosure; challenge the request if there are reasonable grounds to consider it is unlawful; and seek interim measures to suspend the effects of the request until the court has decided on the matter. In the event that the data importer is compelled to respond, it must commit to providing only the minimum amount of information necessary, based on a reasonable interpretation of the request.
Non-Compliance and Termination
Clause 16 of the SCCs requires the data importer to promptly inform the data exporter if it is unable to comply with the SCCs for any reason. If the importer is in breach of the SCCs or unable to comply with them, the data exporter must suspend or terminate the contract.
The data exporter is entitled to terminate the SCCs where: (i) the suspension and non-compliance by the data importer with the SCCs continues for more than one month; (ii) the data importer is in substantial or persistent breach of the SCCs; or (iii) the data importer fails to comply with binding decision of a court or competent supervisory authority regarding its obligations under the SCCs. In each of these cases, the data exporter is required to inform the competent supervisory authority of the non-compliance.
Governing Law & Jurisdiction
Clause 17 of the SCCs allows the parties to choose the governing law of one of the EU Member States, provided such law allows for third party beneficiary rights. In respect of processor to controller transfers, the parties are permitted to choose the law of any country worldwide that allows for third party beneficiary rights.
Clause 18 of the SCCs also allows the parties to select the jurisdiction of any EU Member State to resolve any disputes arising from the clauses. In respect of processor to controller transfers, the parties may choose the jurisdiction of any country worldwide to resolve any disputes arising. Data subjects may also bring proceedings in the courts of the EU Member State where they have their habitual residence.
The new SCCs append three annexes which are to completed by the parties, as discussed below.
Annex I – (A) List of the parties; (B) Description of the transfers, (C) Identity of Competent Supervisory Authority
As discussed above, the SCCs may be used as a multi-party agreement, by more than one data exporter and/or data importer. Annex I requires the parties to set out their role as controller or processor in respect of each of the transfers covered by the SCCs. The EDPB and EDPS in their Joint Opinion on the draft SCCs emphasised the importance of the SCCs providing a clear indication as to how the Annex should be completed appropriately. The EDPB and EDPS noted: “This is all the more necessary because of the modular approach that allows the clauses to be incorporated within one multi-party agreement covering up to four [transfer] scenarios…each of them possibly occurring between different data exporters and/or data importers“. The SCCs seek to address this concern through an explanatory note, which highlights the importance of the parties clearly distinguishing the information applicable to each transfer or category of transfers.
Annex I also requires a description of the parties, a description of the transfers (categories of data subjects and personal data; purpose and frequency of transfer etc.), and the identity of the competent supervisory authority (determined by where the data exporter is established or, for data exporters established outside the EU, where its Article 27 representative is established).
Annex II – Security measures
Annex II requires the parties to describe the technical and organisational security measures implemented to protect the transferred data. The parties must specify the measures which apply to each transfer or category of transfers. It will not be sufficient for the parties to simply state in a generic way, that they will implement technical and organisational security measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and risks to data subjects. The Annex lists examples of possible measures, including pseudonymisation and encryption of personal data, measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems, and data minimisation.
Annex III – List of Sub-processors
Annex III requires parties to Modules two and three data transfers, to complete a sub-processor list, in circumstances where the data importer must receive specific authorization from the data exporter to appoint sub-processors. This Annex does not apply where the data importer has the data export’s general authorisation to engage sub-processors (subject to prior notice and objection requirements).
Organisations will need to review their data flows, and the transfer arrangements they currently have in place. Where organisations are relying on the old SCCs to legitimize their data transfers, they should start taking steps to replace them with the new SCCs. As noted above, organisations that have executed their SCCs prior to 27 September 2021, will have until 27 December 2022 to replace their contracts with the new SCCs. Although this may seem like a long-time frame, replacing legacy SCCs will inevitably be an onerous task for organisations, and will likely entail more than simply swapping out the old clauses for the new clauses.
Although the new SCCs address the Schrems II decision, organisations will still need to consider whether any supplementary safeguards, including technical and/or organisational measures, need to be implemented to ensure the transferred data is afforded an essentially equivalent level of protection as that guaranteed by EU law. Organisations will therefore need to use the SCCs in conjunction with the EDPB’s final recommendations on supplementary measures, which are due to be published in the coming weeks.