Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated. Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:
(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and
(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).
Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.
Who is covered?
Following the Schrems II decision, many businesses found themselves without a viable framework for cross-border data transfers under GDPR. Indeed, the Commission’s revised clauses follow an expected modular approach for catering to various transfer scenarios amidst the intricate processing activities seen since the prior Cross-Border SCCs went into effect in 2010. Accordingly, the new clauses are available for transfer of personal data:
- From controllers in the EU to controllers in a third country;
- From controllers in the EU to processors in a third country;
- From processors in the EU to a sub-processor in a third country;
- From controllers in a third country subject to the GDPR to processors outside the territorial scope of application of GDPR; and
- From processors located in a third country subject to GDPR to sub-processors outside the territorial scope of the GDPR.
The draft SCCs represent a major change because the current SCCs apply only to transfers originating in the EU and do not extend to onward transfers. As a result, businesses will need to undertake a remediation project to assess their data transfer arrangements and replace their existing network of standard contractual clauses with the new SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the European Economic Area (“EEA”) in compliance with the GDPR.
The proposed Cross-Border SCCs are the first of their kind to actually reflect GDPR requirements, in contrast to the prior SCCs draft under its GDPR’s predecessor (the Data Protection Directive). As a result, the new clauses specifically address additional processing and transfer situations, such as transfer from processors located in a third country subject to GDPR to sub-processors outside the territorial scope of GDPR. The Cross-Border SCCs also provide for specific safeguards, in light of Schrems II. These safeguards include explicit obligations on the data importer in the case of governmental access requests to the data. The Cross-Border SCCs, however, do not relieve the parties to the processing arrangement from assessing and addressing the likely consequences of the third country’s laws.
Cross-Border SCCs require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice. In order to do this, the Cross-Border SCCs stipulate that the specific circumstances of the transfer need to be taken into account, as well as the laws of the state where the recipient of the personal data is located, especially with regards to access by public authorities to the transferred personal data. Businesses must also assess whether supplementary measures can be taken to protect personal data in the third country.
The Cross-Border SCCs also outline several new obligations. Affected parties should understand that the Cross-Border SCCs require:
- that data subjects be provided with a copy of the new clauses upon request and are informed, in particular, of any change of (a) purpose, and (b) the identity of any third party to which the personal data will be disclosed;
- any onward transfer by the data importer to a recipient in another third country mandate that either such recipient joins the SCCs or the data subject gives explicit, informed consent;
- additional obligations on processors and sub-processors as data importers comparable to the technical and organizational measures pursuant to Article 28 of the GDPR; and
- sub-processors to ensure compliance with the instructions of both the processor and the controller.
In addition, the Cross-Border SCCs describe in more detail the liability between the parties and towards the data subjects and the indemnification obligations between the parties to the transfer, and cover specific processing situations such as the merger of non-GDPR personal data with GDPR personal data by a data processor.
What about DPA integration?
The Commission’s proposed standard contractual clauses to be used between controllers and processors, as part of a DPA are also worth attention. These SCCs are the Commission’s response to Article 28(7) of the GDPR, which allows the Commission to “lay down standard contractual clauses” for the contractual safeguards required by Article 28(3) and (4) of the GDPR when a data controller engages a data processor to carry out specific processing activities on its behalf. For these types of data processing activities, the Commission has set forth these new SCCs for DPAs to standardize the data protection-related rights and obligations of the respective parties. The new SCCs also include detailed template annexes for the parties to use in describing the processing, setting forth the technical and organizational safeguards, data controller instructions, specific restrictions concerning special categories of personal data, a list of sub-processors, and more.
EU citizens and other stakeholders had the opportunity to provide feedback on the Cross-Border SCCs until December 10, 2020. After the relevant committee accepts the draft decision, a one-year grace period from the date of entry will take place until the Cross-Border SCCs are in full force and effect. During the grace period, data controllers and processors may continue to rely on the prior SCCs.
Again, change is inevitable. We expect more in the EEA and elsewhere when it comes to data governance. We will continue to monitor developments in this area, but recommend any company processing personal data from EEA take advantage of this lead time to assess its cross-border processing procedures. While the Cross-Border SCCs are yet to be finalized, the drafts give a long needed face-lift to such requirements and direction as to how companies will be expected to lawfully transfer personal data from the EEA.