New standard contractual clauses published for consultation

On November 12, 2020, the EU Commission has published the drafts of new standard contractual clauses ("new SCCs") for public consultation. Any feedback must be provided by December 10, 2020.

The EU Commission not only updated the existing clauses to cover Schrems II, but it also provided clauses for the previously unregulated cases of data transfers by a processor to a controller and by a processor to other processors.

Background

Standard contractual clauses are an instrument that allows persons responsible for data protection ("data controllers") to transfer personal data to countries outside the EU/EEA ("third countries") or have personal data processed there.

Essentially, these are standardized contractual texts specified by the EU Commission, which are concluded between the respective data controller in the EU/EEA ("data exporter") and the processor or data controller in the third country ("data importer").

The conclusion of corresponding contracts meets the data exporter's obligation to ensure that the personal data exported by him to the third country is not deprived from the level of data protection guaranteed under the GDPR.

Since 1995, the standard contractual clauses have been revised several times, but their adaptation to the legal framework created by the GDPR in 2018 is still pending. The Schrems II proceedings on the questionable protection standard in the USA, which ended in October 2019 before the European Court of Justice, again revealed the need in practice for more up-to-date standard contractual clauses.

An additional flaw of the existing versions of the Standard Contractual Clauses is that they do not offer solutions for some types of transfer. Processors who wish to transfer data collected within the EU/EEA to a third country cannot do so on the basis of the existing clauses; in practice, this has often only been possible by means of data protection clauses approved by supervisory authorities or with the separate consent of the data subjects.

The EU Commission now wants to remedy this (and much more), as further summarised below.

Expected scope of application

The new SCCs cover the data transfer scenarios to countries outside the EEA as referred to above, particularly adding processors as possible data exporters. This reflects the position under the GDPR in that processors are subject to the same rules relating to international transfers of personal data as controllers under Chapter V of the GDPR. Namely the following scenarios are covered:

• controller to controller ("C2C");
• controller to processor ("C2P");
• processor to processor ("P2P"); and
• processor to controller ("P2C").

For this purpose, the new SCCs provide modular clauses, which can be implemented by the respective parties according to the required scenario alongside general clauses which apply to all scenarios. 

In the following we will summarise key points, which apply to all scenarios and highlight the peculiarities of the individual scenarios. In regard to the latter, we will particularly highlight requirements that might prove challenging to the new SCC parties.

General Key Points

Warranties (Sec. II Clause 2)

The new SCCs go to the heart of the issue raised by Schrems II. In other words, they make it clear that it is the responsibility of the party making the transfer to assess whether the location to which personal data is to be imported offers an adequate level of protection for the personal data.

Each party is required to warrant that it has no reason to believe that local laws at the destination will prevent them from complying with the new SCCs. Moreover, the parties cannot give that warranty without making further inquiries - they have to separately warrant that they have considered various points such as the nature of the data being transferred, the laws which apply in the destination country and the safeguards applied to the data.

When exercising such assessment, the data importer must cooperate with the data exporter and provide the data exporter with relevant information (and keeping it up to date on an ongoing basis) such that it can be re-used with all of their customers/data exporters. The data exporter must be notified by the data importer, if the latter cannot comply with its obligations (e.g. due to local laws). In such case, the data exporter must require the data importer to comply with additional measures. Where this is not possible the data exporter must suspend the transfer, shall inform the competent supervisory authority and shall be entitled to terminate the contract.

These requirements mean that organisations must carry out the assessment referred to before signing them. In many cases, we envisage that this will involve substantial effort.

Obligations in case of government access requests (Sec. II Clause 3.1 and. 3.2)

The new SCCs impose substantial obligations on the data importer if a government access request is raised in relation to the transferred personal data, as follows:

• Notifications: The data importer must notify the data exporter and/or the data subject of any government access requests and share respective information with the data exporter on an ongoing basis. If the data importer is restricted by law from providing such information, it must use its best efforts to obtain a waiver from this restriction and document its effort to do so.

• Review of Legality and Data Minimisation: The data importer must conduct a (documented) review of the requests, where possible challenge them and exhaust all available remedies where there are legal grounds to do so. Where - despite such efforts - the data importer has to disclose data to the authorities in response to a request, it must provide the minimum amount of data possible.

Docking (Sec. I Clause 6)

Controllers and processors may now accede to the SCCs as additional data exporters or importers throughout the life cycle of the underlying contract. We view this as a helpful clause from a structural perspective, reflecting that most intra-group transfers are multilateral (and may change over time) rather than simply being bilateral.

Security (Annex II)

Annex II of the SCCs sets out a wide range of examples on technical and organisational measures data importers and exporters shall implement to ensure an appropriate level of data protection. This includes examples such as the following: requirements for pseudonymisation and encryption of personal data, for the resilience of processing systems, or for the protection of data during transmission or storage, etc.

Hierarchy (Sec. I Clause 4)

In case of conflict with provisions of other agreements between the parties, the SCCs will prevail  (Section 1, Clause 4). Exporting parties will have to consider such hierarchy, when implementing the new SCCs into their current contractual framework. This applies particularly in regard to liability clauses.

Governing law and Choice of jurisdiction (Sec. III, Clauses 2 and 3)

It should be highlighted, that the SCCs do not expressly require a data exporter to be based in the EEA. This is aligned with the fact that the GDPR does not only apply to parties within the EU. As result, controllers and processors outside the EU will most likely be able to utilize the new SCCs for transferring personal data (in respect of which their processing activities are subject to the GDPR) to other third-country parties.

Individual Processing Scenario Peculiarities

Controller to Controller ("C2C")

The new SCCs require data importers in an C2C scenario to comply with various information obligations and processes:

• Transparency (Sec. II, Module 1 Clause 1.2): The data importer, will have to comply with information obligations towards data subjects. This namely includes information on its identity and contact details; change of processing purposes and, in case of disclosures to third parties, the purpose of such disclosure and the third parties' identity.

• Data Breach Response (Sec. II, Module 1, Clauses 1.5): Data importers will have notify the exporter, as well as the competent European authority (and potentially data subjects) on data breaches. It should be highlighted that (in deviation to the stronger GDPR standards) such notification obligations only applies where the breach is likely to result in "significant adverse effects".

• Documentation and compliance (Sec. II, Module 1 Clause 1. 9): Both parties must document and be able to demonstrate how they will comply with the SCCs to the authorities.

• Data subject rights (Sec. II, Clause 5): The data importer must be able to deal with data subject inquiries and requests in regard to their data subject rights.

Controller to Processor ("C2P")

In the C2P scenario, the new SCCs tighten the requirements on processors already required under Art. 28 GDPR.

• Storage limitation and return of personal data (Section II, Module 2, Clause 1.5):

  Data importers will have to delete or return the personal data on termination of the processing, with no exceptions (e.g. local law retention requirements)

• Security of Processing (Section II, Module 2, Clause 1.6(a)): In regard to technical and organisational measures, the new SCCs included specific "Schrems II flavoured"  requirements. In particular, in case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall - where possible - remain under the exclusive control of the data exporter.

• Documentation and Compliance (Section II, Module 2, Clause 1.9): Data importers in a C2P scenario will have even stricter documentation and compliance obligations than their counterparts in a C2C scenario, as, for instance, data importers will also need to conduct audits by or on behalf of the data exporter.

• Use of Sub-processors (Clause 4, Module 2): The new SCCs enforce more specific rules on appointing sub-processors than the GDPR. In addition to the rules set out in Art. 28 para. 2 GDPR, the data exporter must always be given the right to object to the appointment of the sub-processor, prior to the appointment. As an additional restriction, the new SCCs require that the data importer must make the data exporter a third party beneficiary to the contract with the sub-processor if the data importer becomes insolvent.

Processor to Processor ("P2P")

The points raised in regard to the C2P scenario (see. III, 2 above) also apply to the P2P scenario. In addition, the new SCCs set out requirements to ensure the "chain of command" between the controller, the EU processor (acting as data exporter) and the third-country sub-processor (acting as data importer). Therefore, the controller is the root of the instructions and the non-EEA sub-processor must act only according to such instructions.

Processor to Controller ("P2C")

The new SCCs set out the responsibility of EU processors in cases of so called "reverse transfers". Namely, where a non-EEA controller appoints an EEA processor to process non-EEA data, which the EEA processor then transfers back to the controller. The SCCs emphasis the EU processor to act in accordance with their responsibilities set out in the GDPR's Chapter V (Transfer of personal data to third countries or international organisations) when dealing with non-EEA controllers.

Enter into Force

If these new SCCs come into force, data exporters and data importers will have one year to implement the new SCCs, starting from the date, the new SCCs enter into force. Until the end of such grace period, they may continue to rely on the old standard contractual clauses (set out in Decisions 2001/497/EC and 2010/87/EU), if such clauses still provide appropriate safeguards for the relevant data transfer. As a result, we see the necessity to replace the old SCCs with the new SCCs latest with expiry of such grace period.

Supplementary Measures

Please be aware that, when relying on the new SCCs (for data transfers to a country outside the EEA) once they become applicable, it has to be assessed if there is anything in the law or practice of the third country that may impinge on the effectiveness of the new SCCs. If the assessment reveals that the SCCs are not effective (e.g. if the data importer falls under Section 702 of the U.S. FISA), then the data exporter will need to consider (where appropriate in collaboration with the data importer), if supplementary measures exist, which (when added to the SCCs) are able to ensure that the data transferred is afforded in the data importing country a level of protection equivalent to that guaranteed within the EU. If such measures (e.g. of technical nature) exist, they have to be implemented. In this respect the European Data Protection Board's "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data", adopted on 10 November 2020 and published for public consultation until 21 December 2020, needs to be taken into account.