TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Standardizing data-processing agreements globally Related reading: The road ahead in an uncertain world of cross-border data transfers

rss_feed

""

Privacy professionals around the world are feverishly working on configuring and implementing the European Union’s new standard contractual clauses. Effective Sept. 27, companies in the European Economic Area entering into new cross-border data transfer arrangements with companies outside the EEA based on SCCs must adopt the new versions. Any recipient that signs the new SCCs promises it has matching agreements in place with its own vendors according to Clauses 8.8 and 9. Myriad businesses are affected because every company has numerous affiliated and unaffiliated vendors and other business partners worldwide. To remain open to businesses from the EEA, all companies need to have the new SCCs in place by Sept. 27.

To further complicate an already difficult situation, many countries have issued requirements that businesses must impose similar and different contractual clauses to protect the personal data of their residents, including, most recently, several U.S. states. Additionally, businesses have to flow these other clauses through to multiple tiers of service providers. Addressing these requirements with separate contracts, one country at a time, becomes quickly unmanageable. A medium-size multinational business with subsidiaries, employees and customers in 20 jurisdictions and vendors in an additional 20 jurisdictions would need to implement 400 data transfer and processing agreements. If each of those vendors has 20 vendors, we are counting 8,000 contracts originating from one multinational business, and that is before we have looked at additional tiers of suppliers and considered that large businesses have thousands of vendors.

Privacy professionals need to develop practical approaches. Companies need to work collaboratively with supply chains and customers to pursue solutions that all businesses can scale globally. In-house counsel cannot afford to focus just on the new SCCs. Multistakeholder compliance teams within companies need to address requirements for data from multiple jurisdictions at the same time. For most service providers, this is not only a compliance topic, but also an urgent condition to sales and commercial success.

Implementing the new SCCs

Just dealing with the latest from the old world presents challenging problems: The new SCCs consist of more than 25 pages — the word count exceeds 11,400 — contain multiple modules, mandate selections, and require companies to fill out annexes and prepare detailed written descriptions of security measures, processing instructions and cross-border transfer impact assessments.

Companies must adopt the clauses without revisions or modifications to enjoy the corresponding exceptions under the EU General Data Protection Regulation, according to Clause 2. Companies are not prohibited from adding commercial clauses concerning liability, warranties, disclaimers and indemnification but must not contract Clause 12, e.g., by completely rendering the clauses ineffective by way of an absolute limitation of liability. But, in practice, it is preferable to address risk allocations in separate commercial agreements, to avoid complicating or delaying the implementation of the new SCCs, in which both parties have a common interest. In many cases, the commercial agreements are already in place or being negotiated by separate teams of attorneys and procurement professionals who privacy professionals may prefer not to draw into intricacies of data-processing agreements.

Multiple modules may apply to any given business relationship. Therefore, companies should consider adopting the new SCCs in their entirety and defining their applicability to particular data transfers in Annex 1 instead of signing up to individual modules separately.

Multinational companies that insist on separate, direct bilateral contracts between every subsidiary and subprocessor on the vendor side are demanding the impractical. In most situations, solutions have to include hub-and-spoke contracting models in which one entity in the customer group engages with one entity in the vendor group and then they pass the contractual commitments to their respective affiliates. Incorporation by reference and multiple parties signing one contract should also be considered. To help each other, the parties could agree to sign separate, additional bilateral versions in case of a legitimate need.

Businesses should also think long and hard about the pros and cons of using the new SCCs for processing arrangements within the EU. These are shorter and less burdensome but introduce extra complexities. Alternatively, companies can use the new SCCs across the board for processing agreements within the EU, given the European Commission expressly stated the new SCCs, "should also allow to fulfil the requirements of Article 28(3) and (4)" of the GDPR and constitute "standard contractual clauses pursuant to Article 28(7)" of the GDPR, see Clause 2 and Recitals 8 and 9 of Commission Decision (EU) 2021/914 of June 4, 2021.

With the new SCCs, companies have to agree on instructions for processors, which can refer to the service provider's standard technical specifications. Also, companies need to document “transfer impact assessments” pursuant to Clause 14, implementing requirements that the Court of Justice of the European Union promulgated in its “Schrems II” decision and the EDPB expanded in its final recommendations June 18. Several German data protection authorities have started to audit German companies with questionnaires, asking questions such as, “If you have concluded that the recipient can in fact guarantee compliance with the contractual obligations under the SCCs, please describe in detail your reasons for this conclusion and provide appropriate evidence.” Service providers outside the EEA should proactively prepare information for such assessments to render their offerings legally usable for customers in the EEA.

Divided state laws in the US

Multiple states have passed omnibus privacy laws, inspired by the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Companies doing business in or with the U.S. must deal with this patchwork of laws until possible harmonization comes from an omnibus federal privacy law. On the customer and vendor side, companies need to consider their position with respect to “selling personal information.” They cannot rely on exceptions for processing arrangements unless they agree on particular terms relating to selling and sharing for cross context-behavioral advertising and personal information are put in place. Slightly different terms are required for all controller-to-processor flows of personal information under Virginia's Consumer Data Protection Act and the Colorado Privacy Act. Seemingly simple clauses, like "vendor agrees to comply with California privacy laws," are ineffective and insufficient because customers need statutorily prescribed commitments concerning the use and sharing of the customer's data.

Some companies have started to integrate legally mandated data-processing terms into commercial agreements. Others have created detailed, state-by-state addenda with complicated and repetitive terms. Form agreements often conflate commercial questions, such as risk allocation, with compliance questions, the legal need to put certain contractual terms in place, and lead to lengthy negotiations and documentation that cannot easily be leveraged for new contracts. To avoid the adverse impact on sales cycles and legal budgets, companies should consider consolidating mandated clauses in a concise set of data protection standards they would be willing to agree to as customers or service providers — which most companies are in different parts of their businesses.

Most requirements can be addressed on less than two pages with pragmatic and concise drafting. At the end of the day, processors must commit to using the customer's personal data only to provide their service and keep the data secure. If one adds a few more statutorily required concepts, one can address 80% to 90% of requirements in data protection laws around the world. Keeping the document as short as possible means fewer words for all involved to review and negotiate. And adding terms that are legally necessary for the data-processing agreement should greatly reduce the need for negotiations. What it should come down to between the parties is an alignment on the roles of the parties, controllers-to-businesses or processors-to-service providers, and the rest should follow.

Beginning Jan. 1, 2023, the CCPA includes a third possible characterization of a “contractor” that imposes fewer limitations on processing activities compared to those applicable to a “service provider.” But the contractor characterization is more challenging to align with a processor characterization under the Virginia and Colorado laws and the GDPR and, therefore, a less practical option. To the extent it applies, the U.S. Health Insurance Portability and Accountability Act warrants its own separate “business associate agreement” but should also be kept separate from the commercial agreement and only cover the legally required terms.

Latin America

Countries in Latin America have not yet harmonized their data protection laws or developed a uniform approach to cross-border data transfers.

Argentina and Uruguay have qualified for "adequacy" decisions by the EU Commission. This means companies in the EEA can transfer personal data to these countries without signing the new SCCs or conducting detailed transfer impact assessments. Yet, companies might want to rely on them anyway in the interest of standardization because customized agreements as an alternative create additional burdens on contracting processes.

For transfers of personal data from Argentina, the Agency of Access to Public Information has published its own model clauses for international data transfers to countries not deemed adequate by the DPA. It might also accept the new SCCs instead of its own model clauses, given that it accepted the earlier versions. The same approach should be viable for Uruguay. Companies that follow this approach should be clear in their contracts that they apply the new SCCs also to personal data concerning data subjects in Argentina and Uruguay. This expansion in scope seems suitable for countries with GDPR-like laws, in the interest of standardization, but should be avoided for countries with entirely different regimes, particularly those with significant risks of private litigation, like the U.S.

Other countries in Latin America have had data privacy laws in place for a while and requirements for international data transfers without reference to model clauses, such as Colombia and Mexico. In Mexico, international data transfers must be consented to by data subjects in the relevant privacy policy, an intra-group transfer necessary for the performance of a contract with the data subject, compliance with a legal obligation, the enforcement of rights or public interest. In Colombia, international data transfers are prohibited unless to a country deemed an adequate jurisdiction by the Superintendencia de Industria y Comercio, the data subject grants express consent, the transfer is necessary for the performance of a contract with the data subject or the transfer serves public interests. Under Colombian law, when the transfer takes place between a controller and processor or between two processors that follow the same privacy policy, it is a data transfer, controller-to-controller, or transmission, controller-to-processor. All data transfers and transmissions in Colombia must be documented in a data-sharing agreement.

Other countries in the region, such as Chile, do not have a comprehensive data protection law yet so there are no specific requirements for using SCCs. Yet, other countries that are not deemed adequate jurisdictions by the EU Commission have data protection laws in place and will accept that international data transfers rely on the EU Commission–approved SCCs. In Peru, international data transfers under Peruvian law are authorized if they are supported by a written agreement that will guarantee the same level of protection as Peruvian law and, for that purpose, the old and new EU SCCs are acceptable. In addition to a written agreement, under Peruvian law, data subjects must grant express consent to international data transfers except if necessary for performing a contract with the data subject or in case of public interest.

Last but certainly not least, Brazil has enacted a General Data Protection Law that entered into force in September 2020 and is similar to the GDPR. One of the transfer mechanisms under the law is model clauses, but Brazil’s Autoridade Nacional de Proteção de Dados has not yet published any. Although there is no official statement from the DPA in that regard, considering the law in Brazil was inspired by and followed the same principles as the GDPR, many businesses expect the new SCCs will be deemed acceptable for personal data transfers from Brazil, as well.

Asia-Pacific

Countries in the Asia-Pacific region have not made any real attempts at harmonizing their national privacy laws on a regional basis. Countries that have enacted privacy laws will find them quite different from their neighbors' laws. But they have been working on solutions for cross-border data transfers, including within the Asia-Pacific Economic Cooperation framework.

Some APAC countries have not yet enacted specific privacy or data protection laws with explicit, omnibus cross-border transfer restrictions, including Vietnam, Indonesia and Thailand. Thailand's laws have been drafted and are based loosely upon the GDPR; they will come into force next year. 

Countries with moderately long-standing privacy laws, such as Australia, New Zealand, Singapore, the Philippines and Malaysia, increasingly align their laws to the GDPR. In many of these jurisdictions, some form of contractual requirement may be required and acceptable to ensure the legitimate transfer of personal data outside their jurisdictions. Most APAC countries have not prescribed national SCCs or expressly endorsed the EU's SCCs. Singapore's Personal Data Protection Commission has acknowledged the EU SCCs may be adopted, but other countries have remained silent on this point. Therefore, companies have to carefully consider the pros and cons of expanding the scope of the new SCCs to personal data from these jurisdictions. Many are likely to hold off until clearer needs and benefits emerge and, in the meantime, use more focused and limited commitments as proposed for U.S. privacy law compliance.

Japan has an advantage when it comes to transfers to and from the EU. It received a mutual adequacy decision with the EU in 2019 — the first country to do so after the GDPR went into effect. This allows the transfer of personal data to the EU from Japan to be made freely, and from Japan to the EU with just a simplified contractual arrangement. New Zealand earned adequacy before the GDPR took effect, and South Korea expects to agree on mutual adequacy with the EU soon.

Finally, China’s Personal Information Protection Law goes into effect Nov. 1 and has many aspects that are similar to the GDPR but does not fully synchronize with the GDPR or other jurisdictions' privacy laws. It is believed that China will publish its own SCCs instead of accepting the new EU SCCs, but details are not yet available.

Conclusions and outlook

Data-processing agreements are both a sales and compliance topic for many organizations. Customers using cloud solutions hosted globally are being pressured by regulators, litigants, their data protection officers and various other stakeholders. Organizations across all jurisdictions and industries need to develop practical solutions for data-processing agreements that can be implemented through the data-processing chain. All feel an urgent need to simplify and standardize.

For all countries within and a few outside the EEA, the new SCCs offer opportunities for standardization. For countries that do not require or reward an expansion of the new SCCs, companies can deploy concise, consolidated data-processing terms that address descriptive national statutory requirements, ideally without repetition and unnecessary complexities.

Businesses need to work collaboratively on this topic and separate contracting for compliance, where their interests are largely aligned, from contracting for commercial risk allocation, where their interests tend to be diametrically opposed. Privacy professionals should take a holistic view and be sympathetic to each contracting party's position in the supply chain. It is in everyone’s interest to document technical and organizational measures well, satisfy documentation requirements under data protection laws, clarify obligations, and avoid ambiguities, raising amorphous negligence claims in case of a security breach. Customer and service providers each need meaningful, written instructions regarding personal data processing to keep the customer in control, and both parties can rely on exceptions from transfer restrictions. Companies within and outside the EEA need the relevant information to document transfer impact assessments, and companies outside the EEA are better positioned to compile the relevant facts.

If organizations or individuals refuse to take compliance-focused, pragmatic and collaborative views, they risk becoming an unnecessary obstacle to data flows and economic cooperation. This will impact their ability to focus on many other — arguably, more important — data privacy protection tasks, such as data security, transparency, retention and deletion. They also risk paralyzing their compliance programs and hindering revenue generation. Not one size fits all, but basic principles highlighted in this article apply to most businesses.

Photo by NOAA on Unsplash

FAQs & Resources on 'Schrems II'

The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.

Click to View

Data Processing Agreement: Coordinating, Drafting & Negotiation

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version

California Privacy Law, Fourth Edition

California Privacy Law, now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

Print version | Digital version


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

4 Comments

If you want to comment on this post, you need to login.

  • comment Rajesh Kumar Viswanathan • Sep 29, 2021
    Hi,
    Interesting article.  I just want to check and have clarity as I see in cases were vendors who are issuing a standard template of the SCC's they are using the DPA SCC issued under Art. 28 para 7, as the basis and they just reference to the 2021 New Standard Contractual Clauses for Cross Border Data Transfers (which is mandate under Art. 46 para 2 (c), GDPR.   My question is "Is just referencing the new SCC under Art. 46 para 2 (c)  along with DPA SCC, is sufficient to meet compliance?"  I probably look at the error in use of term SCC when Europe published the new template.  In the past SCC was just referred only to the Cross Border Data Transfer requirement, which currently in the new versions apply differently for Art. 28 para 7 which is alternative to DPA which organizations sign between as Controller and Processor and the other one on cross border data transfer.  Kindly enumerate as there is different schools of thought on how they can be standardized.
  • comment Lothar Determann • Oct 1, 2021
    Hi Rajesh, for a truly intra-EU data sharing arrangement between and processor and a controller, you can also use the new processor SCC that the Commission promulgated for this purpose. But, in my experience, data often ends up crossing borders at some point, e.g., because a subprocessor is based outside the EU, and thus, using the international SCC may be the more versatile document for most situations. The Commission expressly stated in the decision adopting the new international SCC that they also satisfy Art. 28 GDPR requirements.
  • comment Tobias Bräutigam • Nov 23, 2021
    I am still struggling with the dilemma expressed in those two sentences: "Companies must adopt the clauses without revisions or modifications to enjoy the corresponding exceptions under the EU General Data Protection Regulation, according to Clause 2. Companies are not prohibited from adding commercial clauses concerning liability." Clause 12 seems very clear to me and any limitation is a deviation. I agree with the intention to come to the result that limitations of liability make commercial sense, I just struggle with the reasoning. Any ideas? Limitations of the EU competences regarding contract law maybe?
  • comment Cristina Montelongo • May 19, 2022
    Hi, thanks for this article! Reading Clause 2, Recitals 8 and 9 of the Decision 2021/914, they say that transfer SCCs can serve as DPA under article 28.7, but to me only for processing that falls under an international transfer. I am not sure these pieces allow to interpret that the Commission is referring also to processing within EU:
    
    Recital 8: "it should be possible to use the SCCs [...]  for the transfer of personal data to a sub-processor in a third country [...] In particular that will be the case where the controller and processor use the SCCs [...] under article 28.7"
    
    Recital 9: "Where the processing involves data transfers from controllers subject to Regulation (EU) 2016/679 to processors outside its territorial scope or from processors subject to Regulation (EU) 2016/679 to sub-processors outside its territorial scope, the standard contractual clauses set out in the Annex to this Decision should also allow to fulfil the requirements of Article 28(3) and (4) of Regulation (EU) 2016/679"
    
    Clause 2.a.: "These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679". This recital is specially clear.
    
    When read in conjunction with art. 28.6 GDPR, to me the interpretation is that the Commission is saying that if your processing at all times involves international transfers, you do not need to sign additionally a data processor agreement, the SCCs are the DPA themselves. However apparently the Commission is not thinking of processing agreements with two different components, part of the processing with an international transfer, and part within EU only, as it may happen for example in activities in global companies. 
    
    Article 28.6 says " the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual". I would interpret this article in the same way. Otherwise, if you base only part of your processing in SCCs, on what would you base the other part? The answer to me is in a DPA. To me the article speaks about a possibility depending on the facts of the processing, not a pure free option to only enter into SCCs regardless of what the actual territorial circumstances of the processing are.
    
    Applying common sense obviously your solution makes more sense, but unfortunately data protection legislation is not characterized by its practical or logical approach. I am just not sure of the interpretation, especially by reading Clause 2.a.
    
    Could you share further thoughts or other information resources supporting your interpretation?
    
    Thank you!