The release of new standard contractual clauses for the facilitation of data transfers was not a surprise in EU data protection circles, but it certainly wasn't something professionals could necessarily brace for.
Since the European Commission's announcement June 4, professionals have tried to digest updated language, requirements and conditions for all parties entering into a data transfer agreement. On top of that effort to comprehend is the task of sorting through the various timelines in place for the transition between old and new clauses.
Bird & Bird International Data Protection and Practice Partner and Co-head Ruth Boardman and IAPP Vice President and Chief Knowledge Officer Omer Tene chipped away at all the burning questions and concerns during a LinkedIn Live session June 15.
Boardman and Tene first outlined the key dates for the uptake of new SCCs and winding down of old clauses. Boardman noted the commission's implementing decision takes effect June 27, which means any organization that wants to use the new clauses for a new data transfer can do so at that time. Organizations can continue using old clauses for new transfers until Sept. 27, but all new transfers will require the new clauses to be in place from that date forward. The final date to keep in mind is Dec. 22, 2022, which is the deadline for old clauses to be fully replaced.
Tene wondered if there was any value in continuing to apply old SCCs for new transfers prior to the current three-month transition period put in place. Boardman said it actually makes sense to do so from a logistics standpoint.
"Let's say you're dealing with a processor or service provider; if you ask them to sign the new standard contractual clauses they will be including in that a commitment that only sub-processors have only given substantially similar commitments to them," Boardman said. "So that three-month period is actually really helpful because it allows people to sort out their supply chains."
Atop the hot-button topics Boardman and Tene covered was how to approach and work through Recital 7 of the commission's implementing decision. From the language it uses, the commission appears to suggest new clauses can't be used in transfers made to a data importer processing exported data already subject to the EU General Data Protection Regulation. Some companies working outside the EU but still subject to the GDPR via their EU establishment may see Recital 7 as a reason to skip a transfer mechanism altogether, regardless of their third-country status.
Tene boiled the question at hand down to whether Recital 7 refers to a transfer's geography or jurisdiction, noting "there is no perfect overlap between these two concepts." Boardman went as far as suggesting Recital 7's language creates a rather sobering realization regarding EU-U.S. transfers.
"You have an organization in Ireland transferring data to its parent in the U.S. The processing the U.S. organization does is almost certainly being carried out in the context of its activities of its establishment in the EU," Boardman said. "If we interpret Recital 7 as meaning this is not an international transfer, you would have the somewhat mind-blowing effect that the "Schrems II" case invalidated (the EU-U.S. Privacy Shield) for processing that wasn't even an international transfer. I don't think that can be right."
Boardman indicated all interpretations should be reserved until the European Data Protection Board releases guidance on the interplay between territorial scope of the GDPR and data transfer rules, but she did fall back to the matter of equivalent protections alluded to in the "Schrems II" decision.
"Personally, it seems to me there are probably more reasons to say that this should be regarded as a transfer," Boardman said. "After all, GDPR doesn't exist in a vacuum. You've got to look at other laws that might be applicable and the legal system applicable to the importer. This might undermine the protection the data would otherwise benefit from."
On the topic of the updated modular design found in the new clauses, which includes four agreement options data exporters can choose from, Boardman cautioned against "feeling slightly travel sick" for those taking their first read through the complex text and bouncing between scenarios. She added the two methods for integrating relevant pieces of each module into a given agreement is to either "copy and paste" exact language or reference the module pertaining to a specific transfer activity.
Boardman also pointed out prior gaps filled by "good initiatives" featured in the new modules, including the mechanisms for processor-to-processor transfers and those from processors to controllers.
Tene probed Boardman on the new SCCs' "docking provision," which offers the ability to leave agreements open for other parties to be added over time. The provision is a new wrinkle for companies and, according to Boardman, one example of how SCCs are improved upon in these updates. At the same time, facilitating a dock isn't as simple as it may appear.
"This has to be by agreement of all the other parties (involved), and I have to say, to my mind, it's not entirely clear how that's going to work," Boardman said. "If you actually have a big group involving lots of parties, the idea of going around and getting agreement on a case-by-case basis is going to be very difficult to manage. I think the commission decision assumes there's sort of one signature page and that's how you control this."
Boardman added instances of docking are an area worth considering clarification provisions or a mechanism to avoid any contradictions.