In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in early September, Commissioner for Justice Didier Reynders expressed hope that the long-awaited revision of standard contractual clauses would be finalized by the end of this year.
This statement undoubtedly caught the attention of the privacy community. Many privacy professionals are under intense pressure from their organizations to continue with the transfer of EU personal data to countries outside of the EU. At the same time, they need to comply with a series of additional measures imposed by the Court of Justice of the European Union in the "Schrems II" decision.
This creates great pressure and uncertainty. Amid this pressure, privacy professionals are looking for any guidance and certainty that regulators can provide. The revised SCCs are seen as part of the solution, although we hasten to add it is unlikely they alone will address all the requirements imposed by the “Schrems II” decision.
By way of background, SCCs are one of several methods that companies can put in place to legally transfer EU personal data to recipients outside of the EU. They are not the only method but certainly one of the more frequently used methods. The IAPP’s 2019 Governance Survey found that 88% of respondents whose organizations move personal data out of the EU rely on SCCs.
There are two sets of SCCs: one that deals with international transfers of EU personal data to processors, and another that deals with transfers to controllers. All currently existing SCCs were issued under the 1995 Data Protection Directive, the predecessor of the EU General Data Protection Regulation.
The original 2002 controller-to-processor SCCs were revised by the European Commission in 2010 to address issues raised by the ever-increasing globalization, outsourcing and subcontracting of personal data. The original 2001 controller-to-controller SCCs were supplemented in 2004 by an alternative set of clauses that were perceived to be more business-friendly on issues such as allocation of responsibilities and auditing requirements. The alternative set of SCCs was developed by a coalition of business associations and accepted by the European Commission because, in the eyes of the commission, this new set of clauses offers the same level of protection to EU personal data as the original SCCs.
The upcoming revision of the SCCs that Reynders referred to in his statement at the LIBE Committee has been in the works for quite some time. The revision process was initially prompted by the need to adjust the SCCs to align more directly with the GDPR. The European Commission, however, chose not to finalize the revision process and release the new SCCs prior to the conclusion of the “Schrems II” case, recognizing that the decision could necessitate additional changes.
As we all know, the CJEU upheld the validity of the SCCs but indicated that the data controller must conduct a case-by-case assessment of the protection that SCCs can provide, taking into account the nature of the data that is transferred, country of destination and type of company to which the data is transferred.
It is unknown what the new SCCs will say on “Schrems II.” A draft is circulating within the European institutions for review and not yet publicly available. It would be surprising if the new SCCs did not address the CJEU decision, but it may be overly optimistic to think that they will provide the much-needed certainty that privacy professionals are looking for. The additions are likely to be reasonably high level and generic and unlikely to replace the case-by-case assessment that the “Schrems II” decision seems to require from controllers that want to transfer EU personal data to destinations outside the EU.
The most probable scenario for the additions to the SCCs is that the revised SCCs will contain an additional representation from the data exporter that it has verified — and is satisfied — that the law of the third country of destination ensures adequate protection under EU law for the transferred data and that the level of protection required by EU law is respected in the country of destination. There also may be an additional requirement imposed on the data importer to assist the data exporter with making this determination, if so requested by the data exporter.
It is unlikely that the revised SCCs will go beyond these general requirements, especially since the CJEU made it clear that in issuing SCCs, the European Commission has no obligation to evaluate the level of data protection of the countries to which EU personal data could be transferred under the SCCs (paragraph 130 of the “Schrems II” decision). That difficult task is left to the data exporter that makes use of the SCCs and ultimately to the national supervisory authorities that are reminded they must suspend or prohibit transfers that do not offer the required level of protection.
The revised SCCs are unlikely to contain details on how data exporters are expected to determine the adequacy of the country of destination. Many companies are working on so-called “transfer impact assessments,” which they hope to use for their current and future data transfers, in combination with the revised SCCs. Almost invariably, the data importer will be requested to assist in this exercise. Even then, many companies deplore they are placed in a position in which they are expected to become experts in third-country laws and hope for much-needed additional guidance from the national supervisory authorities or the European Data Protection Board.
These TIAs may need to be updated if the law changes in the country of destination. Under the existing SCCs, the data importer is already required to inform the data exporter of such changes, when they have a substantial effect on the guarantees provided by the SCCs. The revised SCCs could make this clearer, perhaps by making this into a separate obligation of the data importer.
The additions or revisions to the SCCs that are prompted by the coming into force of the GDPR are easier to predict, at least in the controller-to-processor SCCs. Article 28(3) of the GDPR states that any sharing of personal data by a controller with a processor requires a written contract with very specific provisions. These mandatory provisions go beyond what was required in a controller-processor relationship under the Directive. They also go beyond the provisions of the current C2P SCCs.
While Article 28(3) of the GDPR focusses on intra-community data sharing, many companies use the SCCs — and only the SCCs — when sharing data with processors located partly in the EU and partly outside of the EU or only outside of the EU. In both cases, some of the mandatory provisions of Article 28(3) of the GDPR are missing. This could be resolved by requiring companies to put in place a full-fledged Article 28(3) agreement on top of SCCs for those processors that are located outside of the EU.
That could prove to be burdensome. It is, therefore, generally anticipated that the provisions in the revised SCCs for C2P transfers will resemble more closely the list of Article 28(3) of the GDPR requirements. This means adding certain provisions and obligations on the processor that are currently missing. Examples include an obligation for the processor and any person acting under its authority entrusted with the processing of personal data to maintain strict confidentiality, an obligation to render assistance when the controller needs to conduct a privacy impact assessment and requires information from the processor to do so, an obligation to provide timely notification to the controller in case of a personal data breach of which the processor has become aware, or obligations relating to data retention and deletion upon the termination of the processing relationship.
For many companies, these additional requirements in the C2P-revised SCCs will not be totally new as controllers have already started to add an extra annex to the current SCCs with precisely these additions. These controllers realized that the current SCCs are outdated and incomplete, and they took it upon themselves to add the missing provisions without waiting for the European Commission to take the initiative. Companies that have taken this extra step will need to see whether their own additions match the new C2P SCCs when these become available.
Many companies are also hopeful that the European Commission will use the opportunity to simplify the structure of SCCs, especially the controller-to-controller SCCs. Many have expressed confusion with regard to the Annex of the data protection principles, which places compliance obligations on the data importer.
Once the revised SCCs are out, companies will need to determine an appropriate method to put them in place for their inter-affiliate transfers and transfers to third parties. Existing transfers under the current SCCs will need to be reviewed in light of the “Schrems II” decision and the existing SCCs replaced or amended.
The European Commission will issue a decision whereby it most likely will repeal the decisions adopting the current SCCs. On a previous occasion, more specifically the replacement of the 2002 SCCs for processors by the 2010 version, companies were given a three-month grace period to replace the old SCCs with the new SCCs. It is unclear whether the European Commission foresees a grace period in this instance.
The 2010 decision does not address whether the replacement can be done by way of an annex to existing signed SCCs. The European Commission is likely to follow the same path with the current revision and leave it to the parties to determine the best way to implement the revisions. Much will depend on the extent of the revisions. If the revisions are limited to a few additional clauses, it may be possible to capture them in an annex that would supplement a set of SCCs that parties have put in place. If the revisions are throughout the text of the SCCs, a replacement of the entire SCCs seems appropriate.
While there remains lots of uncertainty for companies engaged in international data transfers, it is clear they should focus on getting transfer impact assessments, however provisionally, underway and think through the best method to update or replace the SCCs they currently have in place. Companies should also update internal training materials to reflect the new realities imposed by the “Schrems II” decision.
Photo by Juliana Kozoski on Unsplash
This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.
Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.
If you want to comment on this post, you need to login.