The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision.
On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries (the New SCCs). The New SCCs were published two days after the European Data Protection Board (EDPB) released its draft recommendations on supplementary measures (the Recommendations). (For more information, see Latham’s blog post The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.)
In the New SCCs, the Commission has substantially updated the SCC terms. The New SCCs provide for new types of data transfer (i.e., processor-to-processor and processor-to-controller transfers, in addition to the controller-to-controller and controller-to-processor transfers covered in the current SCCs) and, to a limited extent, address matters arising from the CJEU Schrems II decision.
Schrems II Requirements
The New SCCs include specific terms to address certain matters arising from the CJEU’s decision in Schrems II. The main relevant obligations are:
Destination country’s legal regime. The New SCCs require all parties to warrant that “they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses”. The parties’ assessment of the risks of the data transfer must be documented and made available to supervisory authorities upon request.
This obligation builds on a similar warranty imposed on the data importer under the current SCCs. Unlike the current SCCs, however, the relevant clause in the New SCCs sets out specific factors the parties must consider in providing this warranty. Notably, one of the factors included consists of “the specific circumstances of the transfer, including […] any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred”. The inclusion of this factor appears to suggest that a data importer can consider the likelihood that it will receive a request from public authorities — based on its past experience — in evaluating whether it has reason to believe that the laws in the destination country will prevent it from fulfilling its obligations to ensure essentially equivalent protection. This contrasts with the approach taken by the EDPB in its Recommendations, which describe this type of factor — i.e., the likelihood of public authorities obtaining the transferred data — as a “subjective” factor that should not be considered in conducting an essential equivalence assessment (as required under Step 3 of the data transfer roadmap set out in the Recommendations).
The fact that the New SCCs explicitly require this factor to be considered when assessing the specific circumstances of the relevant data transfer is helpful and hopefully will influence the EDPB when it finalises its guidance.
Obligations on the data importer in the event of a government access request for disclosure of personal data. These obligations also build on terms in the current SCCs (controller-to-processor), which require the data importer to promptly notify the data exporter about any legally binding request for disclosure of the personal data by a law enforcement authority (unless otherwise prohibited). The obligations in the New SCCs are significantly expanded, and apply to data importers in any capacity (i.e., processor or controller).
As in the current SCCS, the New SCCs require the data importer to notify the data exporter (and data subject, where possible) of a legally binding request from a public authority for disclosure of relevant personal data or if it becomes aware of any direct access to such data by public authorities. However, the enhanced obligations in the New SCCs further require that, if the importer is prohibited from notifying the exporter, it must use its best efforts to obtain a waiver on the prohibition. The importer must also regularly provide the exporter with the greatest possible amount of information regarding requests received, to the extent this is permissible under the laws of the country of destination.
The importer must also (i) review, under the laws of the country of destination, the legality of such disclosure requests; (ii) provide the minimum information permissible in response to such disclosure requests; and (iii) exhaust all available remedies to challenge the request, including seeking interim measures, if, after a careful assessment, it concludes that there are grounds under the laws of the country of destination to do so. The importer should not disclose data until required to do so under the applicable procedural rules.
These obligations could potentially be onerous for importers in practice — particularly the requirement to make best efforts to obtain a waiver of a non-disclosure requirement. Such non-disclosure requirements routinely accompany legal process issued by criminal or national intelligence authorities, in order to protect the confidentiality of ongoing investigations. Recipients of such legal process often know little or nothing about the facts of the underlying investigation, making it difficult to assert any specific grounds to contest any accompanying non-disclosure order.
More robust security measures. Annex II of the New SCCs requires companies to provide extensive information about the technical and organisational measures they have in place — in particular, as they relate to data security — and to keep this information regularly updated. One of the examples of technical measures included in Annex II is encryption, which the Recommendations likewise promote as a key supplementary measure to prevent public authorities from accessing data. However, the EDPB in the Recommendations takes the position that, in order for encryption arrangements to be effective, the data recipient must never have access to, or the ability to access, the unencrypted data or the encryption keys. Many companies will not be able to enter into such arrangements and still deliver or receive the desired services. In contrast, the New SCCs do not include any particular standards or conditions around the use of encryption as a technical measure, which could be helpful to organisations that use encryption to protect their data, but not in a way that renders the data unreadable or inaccessible to the transfer recipient.
The New SCCs feature a number of the contractual measures outlined by the EDPB in its Recommendations as potential supplementary measures to ensure adequate data protection (including the terms described above). However, the New SCCs do not include all of the contractual measures in the Recommendations. In particular, the New SCCs do not include contractual measures requiring protections against data “back doors”, nor do they require the inclusion of “warrant canaries” (i.e., periodic notices to inform the exporter that the importer has not received during the relevant period any public authority requests to disclose the personal data).
Depending on the outcome of an organisation’s relevant data transfer risk assessment, the enhanced safeguards included in the New SCCs increase the likelihood that the SCCs will be sufficient in themselves and will not require supplementation with additional measures. However, the Commission does acknowledge in its draft decision the potential need for the New SCCs to be accompanied by supplementary measures, where necessary, to ensure an adequate level of protection for the transferred data. The EDPB’s guidance on data transfer assessments and supplementary measures set out in its Recommendations raises a number of challenges for businesses, so how the New SCCs and the Recommendations will interact in practice — and how inconsistencies between the two will be resolved — remains to be seen.
Other Key Changes
The Commission has restructured the SCCs and has overhauled the terms to ensure they reflect the GDPR (rather than the previous Data Protection Directive). Perhaps of most significance, the New SCCs:
- May be used by both controllers and processors as data exporters. The New SCCs apply to processor-to-processor and processor-to-controller transfers (as well as controller-to-controller and controller-to-processor transfers, as already provided for by the SCCs). Unlike the SCCs (which are separate, standalone agreements for each type of transfer), the New SCCs are structured as a modular document that includes clauses applicable to all transfers as well as different modules of specific terms for different types of data transfer (controller-processor, processor-to-processor, etc.). The addition of processor-to-processor transfers resolves one of the long-running practical issues with the current SCCs, which require a mandate mechanism to allow for SCC transfers between EEA processors and non-EEA sub-processors.
- May be used by non-EU established data exporters. The draft implementing decision helpfully clarifies that the New SCCs (including onward-transfer mechanisms) may be relied upon by data exporters established outside the EEA to the extent the processing is subject to the GDPR pursuant to the extraterritorial reach of Article 3(2) GDPR.
- Include mandatory data processing terms under Article 28 GDPR. By including the mandatory requirements for data processing agreements under Article 28 GDPR, the New SCCs remove the need for separate data processing terms in order to satisfy Article 28, for the specific processing constituted by the data transfers. Organisations may nonetheless choose to implement other data processing terms, to sit alongside the New SCCs, in order to cover wider personal data activities and/or negotiated data processing arrangements. When using additional data processing clauses, organisations should take care to ensure that such clauses do not cut across the terms of the New SCCs, which will prevail over the organisations’ negotiated terms in the event of inconsistencies.
The New SCCs are open for public consultation until 10 December 2020 (as compared to the consultation on the Recommendations, which is now open until 21 December 2020). This consultation will include submission of a joint opinion on the New SCCs from the EDPB and the European Data Protection Supervisor. The joint opinion will be of particular interest, given the inconsistencies between the approaches of the Commission and the EDPB (e.g., in relation to assessing the destination country’s legal regime, as above).
Once finalised and approved, the New SCCs will replace the SCCs for personal data transfers, though organisations will benefit from a 12-month grace period in which to enter into the New SCCs. In contrast, the Recommendations are applicable with immediate effect (even while they remain open for consultation), according to the EDPB.
The UK is likely to become a third country for data transfer purposes on 1 January 2021 (timings for an adequacy decision for the UK remain unclear). As the New SCCs will not yet be approved by that date, organisations looking to rely on SCCs in relation to transfers to the UK should factor into their implementation the requirement to replace those SCCs with the New SCCs within the proposed 12-month grace period.
Implementation of the New SCCs is unlikely to be a purely administrative task, not least because of the requirement for a documented data transfer risk assessment (as set out above) and the various new obligations that may need to be flowed through to related services agreements, data processing agreements, sub-contractor arrangements, etc. Accordingly, organisations should start to map and assess their personal data transfers as a first step in scoping the potential compliance with the New SCCs and following the Recommendations.