A version of this briefing first appeared in the Privacy Laws & Business UK Report, Issue 122 (July 2022)
International transfers under the EU and UK GDPRs continue to be challenging for organisations. Leaving aside the ins and outs of transfer risk (or impact) assessments, often the simple mechanics of how to use the new documentation have created confusion and uncertainty. Helpfully, the EU Commission has recognised this, and, on 25 May 2022, it published guidance in the form of questions and answers (the Q&As).
The Q&As cover both the use of standard contractual clauses in the context of international transfers (the SCCs), which this article focuses on, and the use of standard contractual clauses in the context of controller-processor relationships. The Q&As have been prepared following feedback from organisations on their experience of using both sets of standard contractual clauses and provide practical guidance for general informational purposes rather than legal advice. The guidance on the SCCs is aimed at organisations transferring personal data out of the EEA under the EU GDPR, which will include both EU and UK-based organisations. However, the guidance will also be of interest to UK-based organisations that use the ICO’s ‘International data transfer addendum to the EU Commission’s SCCs’ (which is essentially an addendum to the SCCs to make them work in a UK context) for transfers out of the UK under the UK GDPR.
How to use the SCCs in a broader commercial context
Incorporation by reference
The Q&As do not expressly confirm that the SCCs can be incorporated by reference into a broader commercial contract – rather, the guidance states that this is a matter for national law. The SCCs do need to be signed by, and binding on, all parties to a commercial contract, but again, the Q&As do not prescribe how this should be formalised (e.g. whether electronic signatures are acceptable, as is the case in the UK). Subject to national law requirements, parties can therefore choose their preferred approach. When using the ICO’s addendum referred to above for transfers under the UK GDPR, the ICO has helpfully clarified that it will not be necessary to sign the SCCs to which the addendum is appended as entering into the addendum will have the same effect as signing the appended SCCs.
Although there is evidence that organisations are indeed relying on incorporation by reference in practice, there are still some challenges and pitfalls with this approach. In particular, organisations should ensure they still provide the information required by the Annexes to the SCCs (the Annexes) and specify in the broader commercial contract the correct module from the SCCs that applies. This may make the contract less clear, especially in situations where more than one type of relationship is covered (e.g. controller to controller and processor to controller transfers).
In addition, the Q&As remind us that data subjects are entitled to receive a copy of the SCCs, which the Q&As states should be “as they have been used”, including the modules selected and the completed and signed Annexes. A general reference to the type of SCCs used (e.g. a link to the EU Commission’s website) will not be sufficient. In practice, organisations contemplating incorporating the SCCs by reference should consider how they would comply with this transparency obligation, were a request from a data subject be made.
Interaction with processor terms
The Q&As remind us that the SCCs contain the Article 28(3) processor terms (unlike the UK’s International Data Transfer Agreement (IDTA)), which means controllers and processors using the SCCs do not need a separate data processing agreement. Parties relying on an adequacy decision can choose to also put in place SCCs to cover off the 28(3) requirements. However, in practice it is likely (particularly for longer-term or data-heavy arrangements) that the parties will want to include additional commercial terms, either in a separate agreement between them or by adding extra clauses to the SCCs. This is permitted to the extent that the commercial terms do not conflict with the SCCs (and the text of the SCCs is not amended, aside from the inclusion of the new clauses). It is worth noting here that the processor terms in the SCCs do not exactly map the Article 28(3) requirements in the GDPR, which is something the parties may choose to address in any related agreement between them.
Limitations on liability
The Q&As make it clear that in the underlying commercial contract, any complete or comprehensive exclusion of liability by one party to the other for breaching the SCCs is not permitted as this would contradict the provisions of the SCCs and would likely prejudice the rights and freedoms of individuals. However, it is less clear whether clauses in the underlying commercial contract allocating liability or setting liability caps (rather than a complete or comprehensive exclusion) will be permitted. The Q&As state that “clauses in the broader contract (e.g. special rules on the distribution of liability or caps on liability) may not contradict or undermine these liability schemes of the SCCs”. This refers to the two liability schemes in the SCCs: the one governing liability as between the parties and the one governing the liability as between the parties and the data subjects.
Any attempt in the underlying commercial agreement to limit or allocate liability between the parties and the data subjects (including for breaching the SCCs) is unlikely to be permitted, not least because this would almost certainly prejudice the rights and freedoms of individuals.
However, the position in respect of limiting or allocating the liability of the parties towards each other is less obvious. Depending on the exact terms agreed between the parties, it may still be possible to allocate liability between the parties and/or include limitations and caps in the underlying agreement, including for breaches of the SCCs, providing this does not prejudice the rights and freedoms of individuals. In particular, organisations may consider setting limitations or allocating liability between them in such a way that compliance with the SCCs isn’t disregarded. This may help mitigate the risk of any such allocation or limitation invalidating the SCCs. For example, a very low cap on the importer’s liability may mean that the importer is more willing to risk not complying (or not fully complying) with the terms of the SCCs, which could have a negative impact on data subjects. A higher cap on the other hand, would arguably provide a greater incentive for it to comply with those terms.
Term and termination rights
As the right to terminate under the SCCs is limited to the parts of the contract that concern the processing of personal data under the SCCs, the termination of the SCCs as a result of non-compliance will not always result in the data exporter being entitled to terminate the wider contract. The parties will therefore need to consider what termination rights to add to the broader contract. In addition, controllers sharing data should bear in mind that the SCCs remain in force for the duration of the importing controller’s processing of the data for the purposes specified in the Annex to the SCCs. As such, the parties may need to ensure the purposes are drafted at the outset with this in mind.
Interaction of the SCCs with the extra-territorial application of the EU GDPR
The Q&As confirm that the SCCs may not be used for data transfers to controllers or processors whose processing operations are subject to the GDPR by virtue of the extra-territorial application of the GDPR. The EU Commission has reiterated in the Q&As that it is in the process of developing an additional set of SCCs for this scenario, however no timeframe has been provided for when we can expect them to be finalised. This of course does little to answer the question of what clauses should be used in the meantime. The EDPB’s draft guidelines 5/2021 suggest that a slimmed down version of the SCCs should be used, in order to avoid duplicating the GDPR obligations on the organisation caught by Article 3(2), which echoes the concerns expressed by the EU Commission in the Q&As. However, until these new clauses are produced/finalised, and given the limited circumstances in which this situation is likely to arise, it is likely that a number of organisations will take a pragmatic approach and use the SCCs in their current form. For data transfers from the UK, the option of using the IDTA is available to data exporters as the IDTA specifically provides for transfers to organisations caught by Article 3(2) of the UK GDPR.
SCCs and transfer impact assessments (TIAs)
Disappointingly, the Q&As don’t include new guidance or detail in relation to TIAs, which continue to be challenging for organisations. Perhaps unsurprisingly, the Q&As direct readers in the first instance to the guidance contained with the SCCs, with the stricter EDPB recommendations 01/2020 being referenced afterwards as guidance that “should be used together with” the drafting within the SCCs. While it is not surprising that the EU Commission emphasises its own approach, it is useful confirmation of the more pragmatic line taken by the EU Commission (which facilitates reference to importers’ practical experience, where carefully corroborated, whereas the EDPB guidance does not). This approach is also more closely aligned with the risk-based approach set out in the ICO’s draft guidance on transfer risk assessments.
The Q&As remind us that as a general rule, when sharing data received under the SCCs with another entity inside or outside its country of establishment, the data importer has to ensure that it continues to benefit from equivalent protections. This can be done in different ways, for example if the third party accedes to the SCCs or by concluding a separate contract with the third party ensuring similar protections to those provided under the SCCs. The controller-to-controller module of the SCCs requires the level of protection provided by the binding contract with the third party to be “the same” as that of the SCCs, whereas the Q&As refer to the level of protection provided needing only to be “similar”. It will interesting to see if this is followed up with a more flexible approach, at least from the EU Commission, in relation to onwards transfers made under other countries’ equivalent safeguards, such as via the UK’s IDTA.
How to complete SCCs
How to include multiple parties
The Q&As provide helpful guidance on the operation of the new “docking clause”. This is an optional clause which allows for new parties to join the SCCs throughout the lifecycle of the contract, with the consent of all the pre-existing parties. The SCCs do not regulate the formalisation of such consent – which should instead be done in accordance with the applicable national law governing the SCCs. For example, if allowed under applicable contract law, one party may be appointed by the others to agree to the accession of a new party on behalf of all pre-existing parties. The Q&As make it clear that amending the main contract to which the SCCs are annexed is not sufficient to add parties to the SCCs, and instead the Annexes to the SCCs must be updated.
How to fill in the Annexes and level of detail required
The Q&As largely reiterate the guidance already included in the SCCs and in EDPB guidance. The level of detail required can often be challenging for organisations for a number of reasons, including when the parties don’t always have equal expertise and knowledge in this area. Where possible, some organisations draw on the detail contained in other (related) agreements.
Much of what is in the Q&As will be already known or assumed by organisations accustomed to dealing with international transfers and SCCs. However, it is still helpful to have those approaches confirmed and some of the procedural uncertainties cleared up.
There are still areas of uncertainty that remain and no doubt further questions and challenges will emerge as the SCCs are used by organisations across a variety of scenarios and the deadline of 27 December (when the old SCCs must all be replaced) approaches. The EU Commission has anticipated this by designing the Q&As to be “dynamic” and intends to update them as new questions arise. In the meantime, organisations should ensure that procurement teams and others involved in negotiating broader commercial agreements are made aware of how the SCCs operate and some of their restrictions that may impact wider commercial terms (e.g. around limitation of liability) to ensure that the SCCs are not inadvertently invalidated.