The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers).
This announcement is a change in course for the EC. When the EC launched the 2021 SCCs this summer, Recital 7 stated they are unnecessary when the data processing by the data importer is already directly governed by GDPR. According to the EDPB meeting minutes, the EC will develop a set of additional SCCs specifically for these transfers, it can be inferred that the EDPB viewed the issue differently and that the EDPB considers such transfers still subject to the transfer rules (otherwise, no supplemental SCCs would be required for this situation).
Recital 7 reads:
“(…) The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.”
Recital 7 has been the topic of debate ever since the 2021 SCCs were issued. At the time, it was anticipated the EDPB would have a different view than the EC. As recitals are not binding by nature, commentators had already indicated that, notwithstanding Recital 7, companies in practice might end up ignoring Recital 7 and still enter into the SCCs when the data importer is directly subject to GDPR.
In a similar vein, companies are likely to continue to use the 2021 SCCs rather than wait for the announced supplemental SCCs. For starters, it will take time for these supplemental SCCs to materialize (if these ever will at all, which we doubt, see below). But it also becomes harder to ignore that the EDPB has now confirmed — albeit implicitly — they do view such transfers to data importers to require a transfer mechanism.
Background
The position of the EDPB that the transfer rules also apply where GDPR already governs the data importer is not surprising. It is the longstanding position of the EDPB and its predecessor, the WP29, that the transfer rules apply where factual transfers take place between the EU and non-EU countries, regardless of whether the non-EU data importer was already bound by GDPR. See also Kuner in “The GDPR, A Commentary,” see p. 758:
“The interaction between Article 3 and Chapter V (on data transfers) can result in situations where the GDPR applies to a non-EU controller or processor, and the data transfer mechanism must be used in order to transfer data to such parties. It is a pity that the proposals made in the GDPR legislative process to merge applicable law rules with those on trans-border data flows and produce a single provision dealing with the protection of personal data processed or transferred outside the EU were not adopted. The relationship between Article 3 and Chapter V has been the subject of discussions in the EDPB. However, as things now stand, Article 3 and Chapter V must be applied separately, and compliance with one does not remove the obligation to comply with the other when it is applicable.”
The position of the EDPB is further in line with the language of the GDPR, where Article 45 refers to transfers to countries that are considered not to provide an adequate level of protection. In other words, even if GDPR governs the relevant processing, the laws of the relevant country could prevent that despite the GDPR being applicable, an adequate level of protection could be ensured. In that sense, the SCCs do provide additional protection against, for example, powers to access data based on local law, e.g., by including notification obligations that are not provided for by GDPR.
Against this background, the inclusion of Recital 7 in the EC Implementing Decision of the new SCCs was surprising to say the least. If anything, it showed a lack of alignment between the EC and EDPB. In public seminars, EC representatives later clarified the recital was included because there was no clear position and agreement of the EDPB on the issue yet, and they considered the SCCs not to be the right mechanism to apply to these transfers as they do not provide added value. When the data importer is directly subject to the GDPR, many of the SCCs safeguards will already directly apply to the importer by virtue of the GDPR. Thus, it would be up to the EDPB to provide guidance on which transfer mechanism should be used instead.
Given the diversity of the opinions, we consider it unlikely the EC and EDPB will quickly see eye to eye on what the supplemental SCCs should look like. On one end of the spectrum, the EC considers the new SCCs superfluous and will likely consider them a very watered-down version of the existing modules as the GDPR already applies directly to the data importer. On the other end, we have the EDPB that will likely require the full scope of the requirements to be imposed by the new SCCs, already for the reason to facilitate contractual enforcement of important GDPR provisions by the data exporter. Whether you agree with this “doubling up” of requirements to ensure enforcement by both DPAs and the contract parties, this approach is already part of how the GDPR is designed. For example, where GDPR applies directly to processors, Article 28 GDPR still requires these requirements to be contractually agreed to by the controller with the processor. Arguments to the contrary were, at the time, dismissed for the added value of contractual enforcement. From this perspective, the 2021 SCCs with the various modules are completely suitable, making them the preferred default solution of the EDPB.
On a final note, we flag that both Recital 7 and the minutes of the EDPB meeting refer to where GDPR directly applies to the data importer based on Article 3(2). The issue at hand, however, emerges when the GDPR applies directly to the data importer based on Article 3(1) GDPR (where a non-EEA controller has establishments in the EU and the data is also processed in the context of the EU establishment).
Photo by Simone Secci on Unsplash