On 12 November 2020, the European Commission published a draft Implementing Decision on new standard contractual clauses for the transfer of personal data to third countries (Clauses). The Clauses try to reflect what is required under the Schrems II judgement and also to help those transferring data incorporate safeguards for data transfers which go above and beyond the current SCCs. They also address known deficiencies in the current SCCs – catering for data transfers by EU processors to sub-processors and from EU processors back to their instructing controller. The Commission has tackled a difficult topic with skill and insight and has introduced significant improvements to the current SCCs. There will, however, be a significant job for parties to move to the new Clauses – in order to resign agreements, provide enhanced transparency to data subjects and to flow down new terms to third parties and sub-processors. The Clauses propose allowing a one year transition period for this to be done. The Clauses are open for consultation until 10th December 2020.
Heavy influence of Schrems II
The Clauses are drafted to take account of, and work, with the Schrems II judgment. As one would expect, the draft Implementing Decision refers extensively to the judgment and also to the EDPB’s (draft) Recommendations on measures that can be used to supplement data transfer tools.
The Clauses retain the principles in the current standard contractual clauses (“SCCs”), which were considered positively by the CJEU in Schrems II, and which were the basis for the CJEU’s decision that the SCCs should remain valid. These principles are: an obligation on the data exporter (assisted by the importer) to consider the level of protection of personal data in the third country; an obligation on the data importer to notify the data exporter of any inability on the part of the importer to comply with SCCs; and a corresponding obligation on the exporter to suspend data transfers, terminate the agreement, or to notify the supervisory authority if it continues to transfer personal data having received such a notice.
The new Clauses incorporate further elements from Schrems II. In particular, the data exporter is required to document the transfer impact assessment which it carries out and to make this available to the competent supervisory authority on request (Section II.2(d)). The Clauses set out the factors that the data exporter must consider in a transfer impact assessment. In addition to considering the law and practice in the third country, the draft Clauses also helpfully reference i.a. the duration of the contract; scale and regularity of transfers; length of processing chain and transmission channel used; type of recipient; purpose of the transfer and the nature of the data transferred.
The new Clauses also include stronger commitments on the data importer vis a vis attempts by public authorities in the third country to access EU originating personal data. The data importer must – where possible- notify both data exporter and data subject that it has received a request by a public authority to access such data; it must assess the legality of any such order by reference to the law in force in the third country and, where it considers it has grounds to challenge the order, it must do so; where possible it must seek an interim measure to suspend any requirement to disclose data while the challenge is pending; it must also disclose the minimum amount of personal data reasonably possible in response to an order. The importer must document these requests and the steps it follows and make these available to the exporter. It must also prepare a transparency report (i.e. more general information about the nature of requests received). Readers may recognise these obligations – they are included in the EDPB’s draft Recommendations. The Commission has not included all of the EDPB’s suggested supplementary measures: in particular, the suggestions relating to “warrant canaries” and “no-backdoor warranties” have not been included. The requirement in the Clauses that the importer should document requests and make documents available to the exporter can be found in the EDPB’s list of organisational measures; as can the requirement that a processor importer should apply access controls to personal data strictly, only allowing access to personal data where strictly necessary to perform or manage the contract. The annex of technical measures could also include references to encryption or pseudonymisation; again, methods recommended in suitable cases by the EDPB. These new provisions will increase the likelihood that, in appropriate cases, a data exporter will be able to use the Clauses to undertake transfers without needing to put in place additional safeguards.
Where additional safeguards are needed, then the Commission strengthens the role to be played by supervisory authorities. If a data exporter has reason to believe that a data importer cannot fulfil its obligations under the Clauses, either because the importer has notified of this, or because it has reached this conclusion itself, then the data exporter may only continue transferring personal data if it puts in place additional safeguards; however, if a data exporter takes this approach, it must notify the supervisory authority of this, and must provide full detail of the safeguards adopted for review by the supervisory authority.
What happens to existing SCCs?
The draft Implementing Decision provides a one year sunset period for parties to put the new Clauses in place. During this period, transfers can continue to be made on the basis of existing SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the sunset provision and must move to the new Clauses. If parties change existing contracts in order to introduce additional safeguards – as required by Schrems II and the EDPB Recommendation – then they can still benefit from the sunset provision.
Implementing the new Clauses will take significant effort – both because of the requirements associated with documenting transfer impact assessments, also because of the requirements to provide enhanced information to data subjects (see below) and to flow-down the same terms to third parties/ sub-processors if there are onward transfers.
The new Clauses fix known gaps
The current SCCs can only be used by data exporters in the EU which are controllers. This means that there are no approved standard contractual clauses which can be used when a processor in the EU transfers personal data to a sub-processor outside the EU (thus putting EU processors at a disadvantage compared to non-EU processors), or when a processor in the EU returns personal data to the controller on whose behalf it is processing the personal data. There are also no approved clauses for use by data exporters which are subject to the GDPR but which are not established in the EU.
The new Clauses address these gaps, with content for use in controller to controller, controller to processor, processor to sub-processor and processor to controller situations. They also expressly state that they can be used by parties which are not established in the EU.
The new Clauses are also designed to be used by multiple parties and to allow for change over time by including arrangements for new parties to accede to them via a -perhaps StarTrek inspired – “docking clause”.
The new Clauses impose GDPR-like obligations on data importers
The existing controller to controller SCCs require the controller importer to agree to follow data protection principles based on those set out in Directive 95/46. The Clauses include some new obligations in line with GDPR. The controller importer has to agree to transparency obligations, with an emphasis on clear and plain language, as in Art.12 GDPR. Access, erasure and rights to object to processing for direct marketing are also included. One of the innovations of GDPR was to include an accountability principle and both controllers and processors have to agree to demonstrate their compliance with the Clauses; processors also have to keep records of the processing which they carry out on behalf of the controller.
However, the Clauses do not seek to impose obligations which are identical to those in GDPR. Controller importers do not have to agree to implement portability or restriction and restrictions on automated individual decision making remain closer to those in Directive 95/46 (with an emphasis on safeguards and a right to object) rather than those in GDPR. Similarly, the Clauses are not (generally) prescriptive as to how accountability is achieved – so the specific provisions in GDPR relating to records of processing activity and data protection impact assessments are not included.
What could the Clauses do better?
There can often be uncertainty as to what extent parties can introduce supplemental terms without falling foul of the prohibition on contradicting provisions in the SCCs. The Commission has tried to make clear that additional clauses can be used, so long as they do not contradict the Clauses or undermine protections for individuals. However, this is an area where uncertainty is likely to remain. While there is uncertainty around this, it will make using the Clauses more complex than it need be and will divert attention away from substantive matters towards constant rounds of signatures. By way of example one supervisory authority has expressed concerns to the authors that even the seemingly uncontroversial change of adding a counterparts clause, allowing parties to sign separate physical documents, could invalidate the SCCs. It would be helpful if the Commission could do more to reduce this uncertainty – by including more optional clauses and by making clear that clauses which are concerned with process, rather than substance, do not contradict the clauses.
Where an EU controller transfers personal data to a non-EU controller, then the Clauses introduce onerous transparency obligations. The importing controller must notify the data subject of all data transfers that it intends to make to third parties – including identifying the third party and the purpose of transfer. Where an EU processor transfers personal data to a non-EU processor, then the Clauses require that the importer provider notices and assistance direct to the controller, rather than leaving this for the exporting processor to manage. By way of example, if the importing processor wishes to appoint sub-processors, then it must provide notice of this to the ultimate controller. It is likely that the exporter will already be including the importer’s sub-processors in its list of approved sub-processors, which are already notified to the controller under Art.28 GDPR. This could easily lead to duplication and confusion.
The docking clause concept, to allow for new parties to join, is helpful. However, the mechanism by which new parties join is not clear. The Clauses say that the new party may accede by completing a new data transfer Annex, “by agreement of the Parties”. It is not clear how the existing parties would give agreement – any mechanism which requires multiple existing parties to sign agreement will quickly become unwieldy and undermine the welcome flexibility which this introduces. It would be helpful if the Implementing Decision noted that it is for the parties to determine, at the outset, how this agreement may be documented – thus allowing solutions to be used which best fit the circumstances. The Clauses provide that, from the date of accession, the new party shall have the rights and obligations of a data exporter or importer, as applicable. From a good drafting perspective, the Clauses should also state that the parties transferring data to, or receiving data from the new party shall undertake the obligations of data importer or data exporter, as applicable, in relation to the new party. We have also notice a small number of other drafting glitches, some of which are flagged in the table below.
Where the Clauses cover transfers to a processor, or sub-processor, they inevitably cover the same ground as Art.28 data processing agreements. This will lead to potential duplication or inconsistency. The Clauses address this by containing a hierarchy provision – which states that, in the event of any conflict with other agreements covering the same subject matter, the Clauses will prevail. There will inevitably be questions over this. By way of example, the Clauses follow GDPR in requiring that a processor provide notice of a personal data breach “without undue delay”; a data processing agreement may stipulate a precise time period. In this example, there is probably a good argument that a more precise period is not in conflict (unless the period would involve undue delay), but one can imagine the kind of debate that will arise on this. There is no easy way of addressing this – and the Commission proposal seems a good way forward to us, providing certainty without overriding all previous terms which have been put in place. However, this will no doubt be an area where comments are made during the consultation process.
What do the new Clauses look like?
Because the new Clauses address C2C, C2P, P2P and P2C transfers, they look very different to the current SCCs – where there are separate, free-standing, agreements for each type of data transfer. The new Clauses contain certain content which is applicable to all situations – for example, introductory provisions, provisions on non-compliance and termination. They also contain modular content which is only applicable to that specific type of transfer (C2C, C2P, P2P or P2C). As a result they feel very different to the current SCCs – practitioners will need some time to get used to them.
The structure is:
For those who want a deeper analysis of the new Clauses, the table below sets out a full summary and also shows how the modular provisions compare to each other. For brevity, in the table, we have used DS for data subject and SA for supervisory authority.
This article has been previously published on the IAPP website and shared with its members.