And so, at last, they’re here. Met with a level of anticipation — and, it must be said, apprehension — equal only to the announcement of a new Star Wars film, the new European Union standard contractual clauses for “the transfer of personal data to third countries” (that’s international transfers, to you and me) were adopted by the European Commission June 4, 2021.
For those privacy professionals who are slightly longer in the tooth, this won’t have been the first time they’ll have seen a “new” set of SCCs. After the very first set of SCCs for controller-to-controller transfers were adopted in 2001, closely followed by a set of SCCs for controller-to-processor transfers in 2002, the global privacy community saw the launch of revised SCCs for C2C transfers in 2004 (by way of an amendment to the original 2001 C2C decision) and revised SCCs for C2P transfers in 2010 (repealing the prior 2002 C2P SCCs).
With each new set of SCCs, the European Commission has sought to provide updated safeguards that better take account of the ever-changing data environment in which they will be deployed. And so it is with these, the commission’s latest SCCs; yet, these are by far and away the most ambitious and eagerly awaited of all the adopted SCCs.
Why is that?
The answer is due to two other seismic events in the data privacy world that, in combination, have given rise to an urgent need for new SCCs: first, the adoption of the General Data Protection Regulation in May 2018 and, second, the Court of Justice of the EU's July 2020 ruling in "Schrems II."
With the arrival of the GDPR, there was already a clear need to update the prior SCCs, which were designed for a pre-GDPR era and so lacked many of the protections the GDPR requires. Then, when the CJEU’s ruling in "Schrems II" called into question the reliability of SCCs as a data transfer mechanism unless transfer impact assessments were conducted and “supplementary measures” implemented, the need to adopt updated SCCs became not only clear, but urgent.
Following the commission's first published draft of the new SCCs in November 2020 (attracting 148 consultation responses) and a joint opinion by the European Data Protection Board and European Data Protection Supervisor in January 2021, the new SCCs are now ready for use. Technically, the new SCCs come into effect on June 27, 2021 (i.e. 20 days after their publication in the EU's Official Journal, on June 7, 2021).
So what are they like?
Modular design
The new SCCs retain the same “modular” structure used in the commission’s earlier November draft — comprising a modular set of clauses for each of:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3)
- Processor-to-controller transfers (Module 4).
Put simply, data exporting parties choose the module that is applicable to the nature of their exports and use only the clauses specific to that module.
In this respect, the new SCCs are a huge improvement over their predecessors, which did not cater for either P2P or P2C data transfers — and so often left many data exporting parties with limited (or even no) means to achieve legal compliance when engaging in those types of transfers.
Geographic scope
Another criticism of the prior SCCs was that, due to the way they were drafted, the data exporter could only be a party established in the EU. This created challenges for data export compliance where a data exporter was established outside of the EU but still subject to the GDPR (and therefore its data export rules) by virtue of the GDPR’s extraterritorial scope in Art 3(2). If a non-EU data exporter wanted to transfer data to another non-EU party (say, a cloud processor in the U.S.), technically the SCCs were not available for use as a means for it to lawfully transfer the data in this specific context.
Again, this is a deficiency that the new SCCs have resolved — expressly recognizing that the data exporter can, itself, be a non-EU entity. Taking this and the above point on the SCCs’ modular design together, the SCCs should now provide a comprehensive basis for any type of transfer between parties, regardless of their data processing role or where they are establishing.
Multipartite clauses and the docking clause
The new SCCs include two other small, but significant, improvements over the prior SCCs — they allow for multiple data exporting parties to contract, and for new parties to be added to them over time (the so-called “docking clause”), beyond the initial signatories.
The prior SCCs were drafted as bipartite agreements, capturing the relationship between two parties as they existed at a static point in time, without an express means to add additional parties over time. This often creates challenges when trying to implement the SCCs within large-scale intra-group, or extra-group, data transfers. Despite it being a relatively simple drafting modification to the prior SCCs to allow for extra parties (whether at the point of contracting or added over time), some questioned whether this type of modification was permitted and instead maintained that separate SCCs needed signing for each individual data flow.
The new SCCs answer this point definitively, expressly allowing multiple parties to contract and the addition of new parties over time. This will come as a welcome relief, particularly for organizations reliant on SCCs for their intra-group transfers — where new group companies may be created or acquired over time and therefore need adding to the SCCs when they are.
Transition period
The new SCCs allow the prior SCCs to continue to be used for “new” data transfers over a transition period of three months — giving organizations the chance to read into, and make any changes necessary for compliance with, the new SCCs before deploying them in practice.
Similarly, the prior SCCs can continue to be used for existing data transfers for up to 18 months — giving organizations until the very end of 2022 to move their legacy data transfers over to the new SCCs (but better to start sooner rather than later — who wants to spend their 2022 Christmas vacation putting in place the new SCCs?!)
Schrems II
The question at the front of most privacy professional’s minds will be: “How do the new SCCs address 'Schrems II' and, in particular, how do they compare to the EDPB supplementary measures guidance?”
As it happens, an entire section of the SCCs (Section III) is designed to address "Schrems II" requirements, containing clauses on “Local laws and practices affecting compliance with the Clauses” and “Obligations of the data importer in case of access by public authorities.” These clauses are relevant to all four modules of (i.e. all types of transfers conducted under) the new SCCs.
The commission clearly had a very fine line to tread here. On the one hand, it needed to adopt provisions that were consistent with the CJEU’s ruling in "Schrems II;" on the other, it also needed to find a path through that continued to enable international data transfers (yes, even to the United States) where risk to the exported data is minimal. Come down too hard, and the commission would face cries of alarm from business that they were allowing "Schrems II" to effectively turn the GDPR into an EU data localization law; come down too soft, and the commission would face similar cries of alarm from civil society that they were adopting clauses that did not meet the requirements of the CJEU’s ruling.
Ultimately, the commission has taken a risk-based approach. The parties must warrant that they have “no reason to believe” that the destination territory’s laws will cause the data importer to be unable to fulfill its commitments under the SCCs. In giving this warranty, the parties must take “due account” of the “specific circumstances of the transfer,” the “laws and practices of the third country of destination” and “any relevant contractual, technical or organisational safeguards put in place,” and this assessment must be documented and made available to competent data protection authorities on request.
Perhaps most strikingly — and possibly previewing the final supplementary measures guidance due to be published by the EDPB later this month — the SCCs note that the assessment “may include relevant and documented practical experience with prior instances of request for disclosure from public authorities, or the absence of such requests.”
This is a ray of hope for those organizations that have had little (if any) experience with government requests for their data in practice, but that, before these SCCs, appeared to face considerable risk that their exports would be severely restricted by the strict interpretation of CJEU’s ruling by the EDPB in its draft supplementary measures guidance.
Beyond that, the remaining "Schrems II" provisions largely reflect what is slowly becoming an emergent market standard for Schrems II compliance — namely, notify the data exporter of any request (or access) by a government authority unless prohibited, and, if prohibited, use best efforts to get the prohibition waived. The data importer must review the legality of any such request and challenge unlawful requests, and further provide only the minimum information necessary to comply with any legal compulsion it is under. The data importer must also provide regular transparency reporting about the requests it receives, and notify the data exporter if it believes it is no longer able to comply with the SCCs — in which case, unless appropriate measures can be taken to remedy this risk, the data exporter may suspend and/or terminate the SCCs.
It seems reasonable to assume that no one will love these provisions: Max Schrems has already tweeted that they amount to little more than an attempt to pay lip-service compliance, while businesses will continue to struggle with the onerous requirements of undertaking transfer impact assessments that many simply do not have the expertise, resource or budget to conduct — and more still will be reluctant to challenge government requests for data made within their “home” country.
Nevertheless, those inclined to be philosophical about the new SCCs should reflect that it could have been worse — for civil society, there are onerous new measures on organizations to assess and protect the data they export internationally that reflect the requirements of the "Schrems II" ruling, while for business, the new SCCs row back some way from the very strict interpretation the EDPB initially seemed inclined to favor in its draft supplementary measures guidance. In this respect, the commission deserves merit for balancing two sets of seemingly deeply opposed requirements adeptly.
What about the Annexes?
Like the prior SCCs, the new SCCs comprise front-end, non-negotiable clauses and appended annexes where the specifics of the data export arrangements are left to be populated by the parties.
The new SCCs append three annexes in total:
- Annex 1 – Description of the transfers: Annex 1 deals with a description of the parties, a description of the transfers, and a description of the competent supervisory authority (determined by where the data exporter is established or, for data exporters established outside the EU, where its Article 27 representative is established). Perhaps the most notable aspect of Annex 1 is a new requirement that, where the data importer will onward transfer data to sub-processors, the subject matter, nature and duration of those sub-processor transfers must also be specified — placing a much greater emphasis on data exporting parties to have complete visibility of, and provide transparency over, the entire data processing chain. Organizations that have not already undertaken comprehensive data mapping exercises will need to do so in earnest to prepare for the new SCCs.
- Annex 2 – Security measures: Annex 2 deals with the technical and organizational security measures implemented to protect the transferred data. These are required to be provided in specific and not generic detail — and a lengthy list of possible measures to consider is included. Simply stating the data importer has a “robust set of information security policies and practices” will not cut muster.
- Annex 3 – Sub-processors: Annex 3 sets out a sub-processor list, and is intended for use where the data importer must receive specific authorization from the data exporter to appoint sub-processors. Where the data importer is instead given a general authorization to engage sub-processors (subject to prior notice and objection requirements), this Annex does not apply.
Can you amend the new SCCs?
The best answer to this is “yes, but...” It has long been considered a truism that parties cannot amend the SCCs. This, in fact, was never the case — commercial additions to the prior SCCs were permitted provided they did not contradict the SCCs. The same is true with the new SCCs, which say that the parties may “add other clauses” provided they do not directly or indirectly contradict the SCCs or reduce their protections for data subjects (Clause 2(a)). Further, if any related agreements between the parties contradict the SCCs, the SCCs expressly state they will prevail (Clause 5).
This begs the question of whether parties can amend the liability provisions of the SCCs, given the hotly debated nature of liability in data processing agreements generally post-GDPR. Clearly, if the objective is to reduce liability towards data subjects (or DPAs) the answer will be “no.”
But what if the objective is to limit liability only as between the parties?
This question is particularly important given that the SCCs expressly state that “each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.” Would limiting liability “contradict” this provision, or would it be considered consistent given that a limitation (rather than exclusion) of liability would still accept liability for breach up to a pre-agreed level?
The SCCs are simply not clear on this point — and it therefore seems a safe bet that parties will continue to debate liability under the SCCs (and their relationship to liability provisions within wider DPAs) for the foreseeable future.
What about transfers to importers that are already subject to the GDPR?
There's one further — slightly hidden, but potentially very impactful — point to note in the commission's Implementing Decision to the new SCCs.
Specifically, Article 1 of the Implementing Decision provides that: "The standard contractual clauses … provide … appropriate safeguards … for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-) processor whose processing of the data is not subject to that Regulation (data importer)." Similarly, Recital 7 of the Implementing Decision says: "The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679."
At face value, this language appears to suggest that where a transfer is made to a data importer whose processing of the exported data is already subject to the GDPR (i.e. under Art 3(2)), the new SCCs cannot be used. Presumably, this is because the objective of the SCCs is to ensure that exported data is processed to a standard that is essentially equivalent with the GDPR, and if the data importer's processing is already subject to the GDPR then the SCCs are redundant in this context.
If this interpretation is correct, then it could result in a significant reduction in the number of SCCs needed for global data transfers from the EU. It also raises the question of whether importing parties already subject to the GDPR under Article 3(2) still need to implement "Schrems II" "supplementary measures" where their local laws risk undermining the protections afforded by the GDPR (for example, U.S. importers caught under Article 3(2)). Guidance from the commission and the EDPB would be very welcome on this issue.
And all the rest…
There is, of course, much more that can be said: some of it good and some of it bad, depending on your perspective. No doubt, over the coming weeks and months, privacy professionals everywhere will continue to digest the new SCCs and identify what works well, and what doesn’t, as they begin to implement them.
Overall, the commission is to be lauded for its efforts to strike a difficult balance between the interests of data subjects, the looming specter of a potential "Schrems III," and the needs of data exporting organizations. Returning to the Star Wars analogy, however, whether these new SCCs will successfully bring balance to the (data protection) Force, only time will tell.
Phil Lee, CIPP/E, CIPM, FIP, a partner in the Privacy, Security and Information team at Fieldfisher (and a huge Star Wars nerd), would like to thank his colleagues, in particular Renzo Marchini, CIPP/E, CIPT, FIP, and Kuan Hon, for their invaluable review and comments on this article.
Photo by Clarisse Meyer on Unsplash