Just one day following the release of the European Data Protection Board’s post-"Schrems II" guidance for international transfers of EU personal data, the European Commission issued two sets of draft standard contractual clauses that merit close attention by Canadian businesses that process EU personal data. The first draft standard was for SCCs for international transfers of EU personal data, which will replace the SCCs based on Directive 95/46 with an updated version that incorporates the "Schrems II" requirements and aligns with the EU General Data Protection Regulation and Regulation 2018/1725. The second standard was SCCs for controller-processor contracts, which creates an optional set of standard terms that meet the controller-processor requirements of Articles 28(3) and (4) of the GDPR and Article 29(3) and (4) of Regulation 2018/1725.
What does this mean for Canadian businesses?
Canadian data importers will likely need to negotiate and sign new contracts with their data exporters, but they will have greater flexibility to tailor their agreements to address a range of data-sharing scenarios that accommodate the complex and dynamic data supply chains that characterize today’s digital reality.
The European Commission invited public comment on the SCCs until Dec. 10, 2020, and requested a joint opinion by the EDPB and the European Data Protection Supervisor. Impacted Canadian businesses may wish to weigh in with any issues of concern.
Choose-your-own SCC adventure
Importantly, the new SCCs take a refreshing jurisdictional approach that will streamline the contractual dimensions of EU data protection compliance. Only one set of SCCs will apply to a particular processing activity, depending on the applicable jurisdiction, so it’s important to get it right.
If the GDPR or Regulation 2018/1725 applies directly to the data exporter but does not directly apply to you for the processing activity in question, your data exporter must use the international transfers SCCs, unless another valid transfer mechanism, like binding corporate rules, is in place. For example, your data exporter uses your cloud storage service or email marketing platform to process EU personal data or your organization is the Canadian branch of an EU-based business that processes payroll or HR data of EU personnel.
If the GDPR or Regulation 2018/1725 applies directly to both parties for the processing activity in question, they may use the controller-to-processor SCCs, though they appear to be optional. They may not use the international transfers SCCs (Article 2 of the draft implementing decision for the controller-to-processor SCCs). Some examples where your business would be directly subject to the GDPR are:
- Your application, which is used by people in the EU, gathers app analytics data or customer information, such as support emails, in-app purchases, subscriptions, etcetera (behavior monitoring under Article 3(2)(b) of the GDPR).
- You sell clothes or other goods or direct content marketing materials to people in the EU, with or without a few (targeting goods or services under Article 3(2)(a), GDPR).
If you transfer this data onward to a non-adequate third party (i.e., as a data exporter in your own right), you must use the international transfers SCCs as a transfer mechanism (Recital 7 of the international transfers SCCs implementing the decision), provided you follow the "Schrems II" road map.
While the controller-to-processor SCCs were designed to provide greater consistency and legal certainty across the EU, the international transfers SCCs offer a flexible, modular approach. The SCCs can be used as standalone agreements, or the clauses may be incorporated into a larger agreement, provided they don’t contradict the SCCs or “prejudice the fundamental rights or freedoms of data subjects.”
International transfers SCCs
- You must select the appropriate modules to address your respective roles and responsibilities with respect to the processing activities in question (controller-controller, controller-processor, processor-processor, processor-controller clauses).
- You may invite multiple parties to sign and new parties may accede.
- If you import EU personal data to Canada via an intermediary, they must also sign (Clause 1(b)(ii)).
- If you transfer the EU personal data to non-adequate third countries, the recipients must accede to the agreement unless continuous protection is “otherwise assured” or data subjects have explicitly consented to the onward transfer.
- Happily, the international transfers SCCs incorporate clauses that satisfy the controllers and processors requirements for Article 28 of the GDPR and Article 29 of Regulation 2018/1725, obviating the need for a separate data-processing agreement. That said, if you have a preexisting DPA, the international transfers SCCs will take precedence over them if there is a conflict.
- If you are a controller receiving personal data back from an EU-based processor (the data exporter), you do not need to include supplementary measures, provided no EU personal data is mingled with it (Recital 16).
- The data exporter must warrant that it has used reasonable efforts to determine you can satisfy your data protection obligations (Section II, Clause 1) and will likely rely on your input to document the requisite international transfers risk assessment.
- You must sign onto onerous government access provisions, which include prescriptive requirements for addressing binding government access requests and placeholders for supplementary measures provisions. This means you must be prepared to push back on certain requests and give prior notice to your data exporter, to the extent legally possible.
- The modules enshrine GDPR’s core processing principles and key obligations, which will vary depending on your role. In some cases, EU data subjects will be able to invoke their rights directly against you (Section I, Clause 2), for example, if you fail to respond to their data subject rights requests in a timely manner (Section II, Clause 5).
In addition to ensuring processors provide sufficient guarantees “in particular in terms of expert knowledge, reliability and resources” of compliance with the GDPR or Regulation 2018/1725, controllers must sign legally binding agreements. You may have included DPAs in your standard terms. Though the controller-processor SCCs are optional and parties appear to be free to continue with their existing DPAs or draft their own, the existence of EC-approved clauses will likely impact parties’ negotiating power and influence decision-making; it will be hard to justify a bespoke version that significantly departs from the EC-approved clauses. Anticipate a review of your existing DPAs to address any potentially noncompliant provisions.
Other features worth noting for Canadian businesses are:
- Data processors must promptly and properly deal with all reasonable processing-related inquiries from the controller, provide all information necessary to demonstrate compliance, and permit review of relevant documents at the controller’s request (Clause 7.4(b)). If you are a controller with an EU-based processor, this may be a welcome feature. But if you are a Canadian processor, this will likely be more onerous than your standard terms.
- Controllers also have stronger audit rights. If you are a processor and prefer to mandate the audit yourself, Clause 7.4(c) stipulates that you will bear the costs of the independent auditor. This could get costly. You’ll have to weigh the costs of the audit against the benefits of retaining control and protecting commercial confidentiality.
- If the processing involves any special category data, such as health information, racial or ethnic origin, political opinions or identifying biometrics, Clause 7.5 requires processors to detail and adhere to specific restrictions or safeguards in Annex V and list access restrictions and records, specialized training and purpose limitation as examples.
- Clause 7.7 expressly authorizes processors to use international transfers SCCs for permitted onward transfers, provided the "Schrems II" conditions are met.
- Parties must include detailed technical and organizational measures in Annex III. The clauses provided illustrative examples that include event logging requirements, default systems configurations, IT security governance, data avoidance and data minimization requirements. Parties must detail the technical and organizational measures required for the processor to assist the controller separately in Annex VII.
- As with the international transfers SCCs, the controller-to-processor SCCs envisage multiparty agreements and the ability for new parties to accede to an agreement.
- They also provide more detailed requirements with respect to core processing principles and key obligations under the GDPR and Regulation 2018/1725, for example with respect to DPIAs, breach reporting and data subject rights.
The SCCs are one piece of a much bigger data protection puzzle. Your business will need to “complete the puzzle” by following the "Schrems II" road map mentioned above, to ensure you can deliver on your SCC commitments. This will mean building stronger privacy programs, providing greater transparency in updated, fit-for-purpose privacy notices, managing data supply chains and vendors more tightly and implementing and monitoring the effectiveness of technical and organizational measures.
Effective relationship management and communication with your EU trading partners will be more important than ever in maintaining the flow of data (and goods and services) between the EU and Canada.
In other words, the new SCCs are not mere formalities. Before signing, you should ensure you can live up to your new, more onerous contractual commitments. This infographic will help you decide which SCCs you should use (if at all) and provide tips for how to prepare.
Photo by Beatriz Pérez Moya on Unsplash
If you want to comment on this post, you need to login.