On Nov. 12, 2020, the European Commission charted a new path for global data protection. With privacy professionals still reeling after dissecting the detailed recommendations on supplementary measures put forward by the European Data Protection Board the day prior, it is possible some consequential elements of the European Commission’s draft implementing decision on standard contractual clauses for the transfer of personal data to third countries slipped past unnoticed.
The commission’s draft decision includes a yearlong transition period, providing privacy professionals a moment to breathe.
But, the moment will be brief. Under the commission’s proposal, companies will need to phase out and replace all existing SCCs within 12 months of the decision’s adoption, an enormous task for many.
The draft SCCs merit our full attention and a close read, particularly by those interested in sharing feedback during the public consultation, which runs through Dec. 10.
Modernized contracts
The commission’s proposal adopts a modernized approach to contracting, recognizing and accommodating the complexity of today’s data-processing chains. Paragraph 10 of the draft implementing decision presents three noteworthy changes.
First, it explains the SCCs laid out in the Annex are modular. The Annex includes clauses pertinent to four different transfer scenarios in one document so the parties can tailor their contracts to the unique context of their transfers and processing chains.
Second, the reference to scenarios alludes to the commission’s inclusion of contractual provisions for four transfer scenarios:
- Controller-to-controller transfers.
- Controller-to-processor transfers.
- Processor-to-processor transfers.
- Processor-to-controller transfers.
The first two scenarios are accommodated by currently available SCCs, but the second two are not. Companies have pushed for SCCs that can be used in these situations for some time now, particularly given the extent of transfers from processor to subprocessors.
Third, the commission’s draft indicates that more than two parties can adhere or accede to a single set of contractual clauses, potentially limiting the number of separate contracts companies must sign when onboarding new vendors or service providers, currently an onerous task.
(10) The (SCCs) set out in the Annex to this Decision combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, controllers and processors should select the module applicable to their situation, which makes it possible to tailor their obligations under the (SCCs) to their corresponding role and responsibilities in relation to the data processing at issue. It should be possible for more than two parties to adhere to the (SCCs). Moreover, additional controllers and processors should be allowed to accede to the (SCCs) as data exporters or importers throughout the life cycle of the contract of which those clauses form a part.
The elephant in the room
The draft SCCs address the weighty issue of government access to data, the source of perpetual uncertainty in the realm of data transfers and, following the “Schrems II” ruling by the Court of Justice of the European Union, the main reason new SCCs are so urgently needed.
Paragraphs 16 through 22 reference the extensive provisions in the clauses themselves (tailored to each scenario) governing how the data importer must react if and when the laws of the importer impinge on its ability to comply with the clauses, specifically due to binding requests for data by government authorities. The draft decision explains additional requirements to address the impact of a third country’s laws on the controller’s or processor’s contractual commitments are necessary when the data at issue originates in the EU and not when the controller is the importer and receiving back only the data it originally sent for processing. The decision and clauses themselves address the effect of foreign laws on EU data in three ways.
First, the Annex includes placeholders to reference the EDPB recommendations on supplementary measures, thereby deferring to the types of measures the board suggests and avoiding the need to dive into the details. As a result, companies will need to consider the two sets of documents in tandem.
Second, the draft decision and Annex directly incorporate some of the supplementary safeguards mentioned by the EDPB. These safeguards are noted in Paragraph 22, including notifying the data exporter and data subject of a legally binding request from a government authority for personal data, where possible; sharing aggregate information on such requests at regular intervals; documenting such requests; and challenging such requests when there are grounds to do so.
Third, the draft decision seems to diverge from the recommendations offered by the EDPB in one respect — the weight it gives to a risk-based approach. Taken together Paragraphs 19 and 20 state that in considering whether the laws applicable to the importer prevent it from complying with the clauses, the parties should consider “any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” This statement seems to conflict with the EDPB caution against relying “on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” On this point, the commission’s draft decision aligns more closely with Paragraph 49 of the EDPB recommendations, which suggests the nature of the data transferred should be considered, as well as with the risk-based nature of the EU General Data Protection Regulation itself.
A potential shift in approach
Finally, the draft decision signals a potential noteworthy shift in approach from a territory-based to a jurisdiction-based conception of data transfers. Article 1, which describes the SCC’s scope of applicability, points to this possibility.
Article 1
The (SCCs) set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679 (data importer).
The provisions above could suggest the draft SCCs are meant to be used (and are perhaps needed only) when the “data importer” is not directly subject to the GDPR itself. In other words, the commission’s draft could mean that data transfer mechanisms may not be needed when personal data is transferred to a company outside of the EU that is already subject to the GDPR under Article 3(2).
That is because Article 3(2) of the GDPR greatly expanded the extraterritorial reach and enforceability of EU data protection law. Recognizing the technological advances that have made data accessible globally, Article 3(2) brought within its remit companies physically located outside of the EU but monitoring or directing goods and services to EU data subjects. The EDPB published detailed guidance on the extraterritorial applicability of the GDPR in November 2019, explaining when the GDPR applies to companies located outside of the EU and when it does not.
Since the GDPR’s adoption, companies have continued to implement EU data transfer mechanisms, which were carried over from the directive that proceeded it, in line with the territory-based regime of the past, committing themselves contractually to comply with GDPR requirements and submit to EU data protection authority jurisdiction even when already bound directly by Article 3(2) of the GDPR.
The EDPB considered the intersection between Article 3(2) of the GDPR and Chapter V but chose not to weigh in on the question of whether Chapter V transfer mechanisms are meant to be used when data leaves the physical territory of the EU or the jurisdictional scope of the GDPR. In the EDPB’s guidance on GDPR’s territorial scope, the board noted only “[t]he EDPB will also further assess the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V. Additional guidance may be issued in this regard, should this be necessary.”
With the draft implementing decision, the commission seems to weigh in, suggesting that data transfer mechanisms, whose purpose, according to Chapter V of the GDPR is “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined” may not be needed when that purpose is already achieved by direct applicability of the GDPR itself. Clause 1 of the draft SCCs speaks to this purpose and currently includes bracketed text, pointing to a potential shift away from the territory-based component of this transfer mechanism.
Clause 1
The purpose of these (SCCs) ... is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [for the transfer of personal data to a third country].
Other elements of the draft decision, however, alternatively point toward such a shift and create significant ambiguity regarding the commission’s thinking in this regard. Paragraph 7 does both.
(7) The (SCCs) set out in the Annex to this Decision may be used by a controller or a processor in order to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or a controller established in a third country. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 pursuant to Article 3(2) thereof, because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as their behavior takes place within the Union.
The first sentence of Paragraph 7 suggests the SCCs should be used as they always have been — to transfer personal data to a controller or processor outside of the physical territory of the EU. The second sentence, however, aligns more with a jurisdiction-based approach, suggesting organizations outside of the EU but directly subject to the GDPR can (and perhaps should) use them for transfers.
As the commission considers public feedback on its proposal, perhaps they will offer additional clarity on this topic. Their stance on this issue could be impactful if it maintains GDPR protections while reducing the need for transfer mechanisms, another source of uncertainty for companies.
What else?
The Annex containing the SCCs themselves effectuates the provisions discussed in the draft decision. Many of its provisions, including those governing data subject redress, security, liability, transparency, accuracy and onward transfers, will be familiar to organizations that have long adhered to SCCs. Still, many of these provisions have been updated. All of these too are worth a careful read and much more in-depth analysis.
Privacy professionals have their work cut out for them in the days, weeks and years to come.
Photo by ål nik on Unsplash