Has there been anything more anticipated than the EU Commission’s updated standard contractual clauses (SCCs)? Hardly! There are surely major celebrations ongoing in the privacy community eagerly looking forward to the demanding work of implementing the new clauses. The SCCs were issued on 4 June 2021 and come into effect on 27 June 2021.
As the Vice-President for Values and Transparency, Vera Jourová said, “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers.”
Commissioner for Justice, Didier Reynders said, “with these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”
The updates were sorely needed to bring some clarity on the legality of data transfers outside the European Union. This is because the last revision to the clauses was issued in 2010. Since, the General Data Protection Regulation went into force in 2018 and, pursuant to the new regulation, the Court of Justice of the European Union issued a shock decision upending data transfers in its “Schrems II” decision.
Schrems II invalidated the Privacy Shield, the transfer mechanism between the EU and the US, while upholding the legality of SCCs for data transfers to third countries if a transfer impact assessment is conducted, and “supplementary measures” implemented.
This is not the first time SCCs have been issued. In 2001, SCCs for data transfers from controller-to-controller were released followed the next year for data transfers from controller-to-processor. Revisions followed in 2004 and 2010. With each new set of SCCs, the European Commission has sought to grapple with technological evolution providing updated safeguards to increasingly complex data transfers.
Where to Start
The EU Commission first published its new draft SCCs in November 2020 and European Data Protection Board (EDPB) and European Data Protection Supervisory (EDPS) issued a joint opinion in January 2021. The commission makes clear that these SCCs are only to be used when the data importer is not subject to the GDPR. The new SCCs retain the modular structure of the November draft including a set of clauses for:
- Controller-to controller Transfers (Module 1)
- Controller-to-processor Transfers (Module 2)
- Processor-to-processor Transfers (Module 3)
- Processor-to-controller Transfers (Module 4)
It is up to the data exporter to choose the appropriate module. The updates add two new modules, processor-to-processor and processor-to-controller, not envisioned in earlier SCCs. It is up to the data exporter to choose the appropriate module. The SCCs specify provision that apply requirements in relation to:
- Purpose Limitation
- Data Accuracy
- Duration of Processing
- Sensitivity of Data
- Onward Transfers
There are two other major updates. The first allows multiple data exporters to enter a contract and allows new parties beyond the initial contracting parties be added later. This is known as the “docking clause.” This makes the updated SCCs more flexible envisioning relationships that change and expand over time.
Section III of the new SCCs is intended to address Schrems II requirements including clauses on local laws and practices affecting compliance and obligations of the data importer in case of access by public authorities. The commission has taken a risk-based approach where organisations must stipulate, they have “no reason to believe” that the destination territory’s laws will make it impossible for data importers to adhere to their contractual commitments. In reaching this decision, organisations must consider the “specific circumstances of the transfer,” the “laws and practices of the third country,” and “relevant contractual, technical or organisational safeguards put in place.” This assessment must be documented and made available upon request to the relevant data protection authority. Of particular contention is the inclusion that the assessment “may include relevant and documented practical experience with prior instances of request for disclosure from public authorities, or the absence of such requests.” This determination must “be supported by other relevant, objective elements, and it is for the Party to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion.”
The new SCCs contain non-negotiable clauses at the front end and appended annexes where the specifics of the data transfer arrangements are left to the contracting parties. There are three annexes in total.
Annex I includes a list of the contracting parties, a description of the data transferred including categories of data subjects and categories of personal, the frequency of the transfer, and the nature and purpose of the processing. Annex I also requires information related to the competent supervisory authority determined by where the data exporter is established, or, if located outside the EU, where its Article 27 representative is established. Annex I additionally includes requirements where onward transfers are envisioned and specifies required information about the relationship and processing by sub-processors.
Annex II covers technical and organisational measures to ensure security of the data. The requirements include “specific (and not generic) terms” and provides examples of possible measures like pseudonymisation and encryption. Again, envisioning onward transfers, Annex II requires a description of specific technical and organisation measures to be taken by the processor or sub-processor.
Annex III is intended for use where the data importer must receive specific authorisation from the data exporter to appoint sub-processors. Where the data importer is given generic authorisation, this Annex does not apply.
Existing SCCs may continue to be used for new data transfers over a transition period of three months. This gives organisations an opportunity to read and adopt the new requirements. Existing SCCs can continue for 18 months giving organisations until the end of 2022 to update legacy data transfers.
An open question remains about sufficient supplementary measures. Annex II has a list of envisioned technical and organisation measures and in November 2020, the European Data Protection Board released recommendations to supplement transfer tools. This included a list of six steps.
Step 1: Know your transfers
Step 2: Identify the transfer tools you are relying on
Step 3: Assess whether the Article 46GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
Step 4: Adopt supplementary measures
Step 5: Procedural steps if you have identified effective supplementary measures
Step 6: Re-evaluate at appropriate intervals
This fourth step includes contractual and technical and organisational measures. These TOMs have been an area of recent dispute where EU courts have sought to identify TOMs that satisfy the requirements. For example, a French court has suggested that end-to-end encryption with the key held by a third party in the EU may be suitable where the data concerned is not sensitive.
Final guidance on supplementary measures is expected to be published by the EDPB at the end of June.
Beyond that, importing organisations facing access requests should notify the data exporter unless prohibited, and if prohibited, make efforts to get the prohibition waived. The data importer must review the legality of the request and often challenge those requests per contractual stipulation included in the SCCs and provide the minimum necessary information to comply. This requirement of the data importer to challenge requests has however been limited to instances where the data importer “concludes that there are reasonable grounds to consider that the request is unlawful” as opposed to a blanket challenge requirement.
Lastly, the new SCCs can be amended and additions made so long as the added clauses do not contradict the SCCs or reduce their protection for data subjects. If any agreements contradict the SCCs, the SCCs will prevail (Clause 5). This raises questions about apportioning liability between contract parties. The SCCs expressly state that “each Party shall be liable to the other Party/ies for any damages it causes the other Party\ies by any breach of these Clauses.”
Lingering issues remain in this contested area as well whether importing organisations already subject to the GDPR under Article 3(2) still must implement Schrems II “supplementary measures” where local laws risk undermining protections afforded by the GDPR. American commentaries have mentioned this issue with much chagrin arguing that the United States is held to a higher standard than EU Member States.