EU commission publishes new SCCs for data transfers

On 4 June 2021 the EU Commission published the new form of standard contractual clauses which are to be used to provide adequate protection for transfers of personal data from the EU to countries outside the European Economic Area ("third countries").  The new SCCs present a number of interesting and challenging features.

The clock is ticking - the current form SCCs can be used for a further 3 months from the date of publication of the new SCCs.  That may be necessary on contracts close to signing or where processes have not yet been fully set up to comply with the requirements of the new SCCs.  However, within 18 months, companies will have to replace their existing SCCs (or sooner if there is a change to the processing operations that are the subject matter of the contract).  Just as with the repapering of processor contracts that accompanied the implementation of the GDPR, companies will have to work through a process of repapering contracts with third parties outside of the EU.  Even if they have a more robust list of processors and, following Schrems II, a list of recipient third countries, it will be no mean feat for companies to repaper all their transfers in this period.

Modular format - the new SCCs adopt a modular format to enable their use in a variety of situations, specifically:

• controller to controller (C2C);

• controller to processor (C2P);

• processor to processor (P2P); and

• processor to controller (P2C).

The latter two scenarios are a welcome extension of the SCCs to deal with situations (particularly processor to processor) that were commonly encountered and in which processors are required to put in place adequate safeguards under the GDPR but which the existing SCCs did not cover.

Importer obligations - the new SCCs include a wide array of obligations on the importers in third countries that extend current obligations under the existing SCCs and which many importers will be ill-equipped to handle.  For example:

• Privacy notices - C2C - the importer must provide a privacy notice to data subjects unless it is impossible or involves disproportionate effort (in which case a public statement must be issued, perhaps in the form of a website privacy notice).  In many cases this will likely require importers to impose an obligation on exporters to issue their privacy notice to data subjects. In the P2C clauses there is a more limited transparency obligation but one which still requires the importer to provide details of a contact point authorised to handle complaints (albeit there is reference to this being capable of delivery through a website notice);
• Notification of breaches - C2C / C2P / P2P - the importer must notify the exporter and (in the case of C2C) the relevant data protection authority of personal data breaches that pose a risk to individuals.  In the case of C2C transfers, they also have to notify data subjects in the event that the risk to the data subjects is high (unless the notification will involve disproportionate effort in which case it will have to issue a public statement).  Again, the importer may have limited direct contact with the data subjects and may need to impose an obligation on the exporter to issue breach notices on its behalf;
• Record of processing activities / compliance - C2C / C2P / P2P - the importer will have to maintain a record of processing activities and be able to demonstrate its compliance with its obligations under the SCCs;
• Inaccurate data - C2C / C2P / P2P - the importer must notify the exporter in the event that it becomes aware that the data received is inaccurate; and
• Data subject rights - C2C - the importer must comply with the usual GDPR data subject rights such as access to data, rectification and erasure.

All these obligations, and others, significantly extend the obligations on importers under the SCCs.  In the case of importers that are service providers to controllers or processors in the EU that may be a price that they are willing to pay to continue doing business with EU companies (or which they may factor into overheads passed on to EU companies).  The same might not be true of non-EU controllers using EU based processors as service providers.  The imposition of the SCCs obligations on those companies may put EU service providers at a competitive disadvantage.

The Schrems II challenge continues - the SCCs do not solve the challenge of companies having to make comparative assessments of protection for data under third country legal regimes.  They do provide some potentially helpful guidance on conducting those reviews and some potentially helpful contract obligations to address "supplementary measures" but they also impose some fairly unpalatable obligations on importers and exporters.  Some of the key points to note are:

• the SCCs reinforce the need to undertake data transfer risk assessments which involve a comparative analysis of EU / third country legal regimes.  They include a warranty given by the parties that they have no reason to believe that the laws and practices of the third country prevent compliance with the SCCs;

• the SCCs provide helpful content on what factors can and should be included in the data transfer risk assessment.  These include: the nature of the data / processing / recipient; the number of actors involved in the processing; the application of the third country law in practice (provided that that is by reference to objectives sources such as case law); the existence or absence of authority requests for data in the same sector; and the practical experience of the exporter / importer in relation to authority access requests;

• Notice of authority requests - the importer must notify the export of authority access requests and, where possible, the data subjects.  Again, the importer may find it practically very difficult to notify data subjects directly and there may be an expectation that they need to rely on the exporter to route that notification to data subjects.  Of course, notifying the exporter / data subjects about an authority request for data may be contrary to the law and the SCCs acknowledge that but also require the importer to use "best efforts" (a variable standard that might be interpreted differently in different countries) to obtain a waiver of any such prohibition.  In addition to the specific notifications required, the importer must provide the exporter, at regular intervals, with as much information as possible on the requests received by the importer.  It is not clear whether this aggregate information should relate only to the requests relevant to the exporter's data or more generally; and

• Challenging authority requests - the importer also must challenge authority requests and there is an interesting difference between the recitals in the Decision and the text of the SCCs in that regard.  The SCCs say that the importer must "pursue the possibilities of appeal" whereas the Decision says that the importer must challenge the request including "by exhausting available possibilities of appeal". That is clearly a higher (and potentially very onerous) standard for the importer to meet.  Hopefully the DPAs look to the obligation imposed in the SCCs rather than the Decision recitals.  It is also worth noting that importers must share their legal assessment of any challenge with the exporter.  Care will have to be taken to ensure that the importer does not waive any applicable legal privilege in that analysis as a result of its disclosure to the exporter.

Deviation from the GDPR - there are some ways in which the SCCs deviate from GDPR principles in ways that are not necessarily explained in the Decision text.  For example:

• Automated decision making - as in the GDPR, an importer that is a controller is restricted from using automated decision making that has legal effects or which significantly impacts on the individual.  Under the GDPR, such activity is permitted if the individual consents, the activity is permitted by Member State law or if it is necessary to enter into a contract with the individual.  The contract justification is missing in the C2C clauses;

• Excessive data subject requests - in the C2C clauses, an importer can refuse excessive data subject requests but there is no mention of "manifestly unfounded" requests which also provide the same exemption in the GDPR; and

• Notification of general breaches - aside from data security breaches the GDPR does not require companies to pro-actively self-report other breaches to data protection authorities. The SCCs do, however, require the exporter to notify the relevant data protection authority in the event that it terminates the SCCs as a result of the breach by the importer.

Impact on the wider contract / arrangement - parties have always had to think about how they fit the SCCs into their wider contract and the impact of the terms on the dealings with one another but there are some features of the SCCs that should particularly be noted:

• In the processor modules the SCCs deal with the Article 28 requirements for processor contracts.  However, given that the SCCs will likely sit as a standalone contract the parties need to be careful that they do not write conflicting processor terms into their main agreement.  Thought also needs to be given to some of the more commercial aspects of those processor terms that are missing from the SCCs (for example, the ability of the processor to recover costs associated with helping the controller with data subject requests);

• The main agreement between the parties will deal with allocation and limitation of liability between the parties.  The SCCs also deal with allocation of liability and direct liability to data subjects, in different ways depending on the controller / processor status of the parties.  The parties will need to think about how liability under the SCCs interacts with / is subject to any limitations of liability in the main agreement; and

• The SCCs require, in the C2C context the erasure or return of the data on termination of the SCCs (although it is unclear whether that is just in the case of breach or more generally if the SCCs are terminated by the parties).  That might not be an expected outcome for either the exporter or importer and could have important practical and commercial ramifications on their arrangements.

Where does this leave the UK? - the UK is not subject to the EU Commission's decision and therefore the new SCCS will not take effect in the UK.  The UK Information Commissioner is, instead, working on its own form of standard contractual clauses which it intends to consult on in the summer of 2021.  In the meantime, UK companies should continue to use the current form of SCCs - a further complexity if they are making transfers from both the UK and the EU as the old and new forms of SCCs will have to be used alongside one another even if the data transfer and processing activity may be indivisible.