Update Data Protection No. 87
European Commission Publishes Updated Standard Contractual Clauses
On November 12, 2020, just one day after the European Data Protection Board (“EDPB”) published its recommendations on additional measures for data transfers to third countries (Recommendation 01/2020), the European Commission published a draft of the long-awaited updated Standard Contractual Clauses (“SCCs”). Under Art. 46 GDPR, these can serve as the basis for data transfers to third countries without an adequacy decision. However, whether the new SCCs are actually the conclusive answer to the lawful data transmission to third countries in practical terms remains open, especially against the backdrop of both the ECJ’s Schrems II ruling and the EDPB recommendations.
1. Background
Pursuant to Art. 46 GDPR, SCCs are one of a number of methods that companies can use to facilitate a lawful transfer of personal data to recipients outside the EEA. At present there are two types of SCC: the 2001 SCCs covering data transfer between two controllers, and the 2010 SCCs relating to data transfer from controllers to processors. Both SCCs were approved on the basis of the 1995 Data Protection Directive, the precursor to the GDPR, and each impose obligations on the parties with the aim of guaranteeing that the same level of data protection as applies in the EU is complied with in the data importer’s country. Because the existing SCCs are still based on obsolete standards, a GDPR-compatible update and modification of the SCCs has been expected since the GDPR came into effect in 2018. The European Commission was also expected to take the opportunity to align the SCCs with the standards set out by the ECJ in its Schrems II ruling. Although in Schrems II the ECJ declared the current SCCs to be valid, it noted at the same time that it was up to the controller in each individual case to verify whether the clauses contained in the SCCs could indeed be complied with in the data importer’s country. If not, any data transfer would be unlawful, even if SCCs had been entered into.
2. Overview of the most important innovations
- Broad scope: the new SCCs cover all key variants of a data transfer. For instance, in addition to the data transfer between controllers and data transfer from controller to processor, the SCCs also contain new clauses for data transfer between processor to processor and from processor to controller. The SCCs thereby take a modular approach that permits the users to select the relevant clauses in each case.
- Accedence of further parties: the new draft makes it much easier for multiple parties to use the SCCs because use by multiple parties is expressly intended. The new SCCs also contain an optional clause that governs the accedence of new contracting parties. This is especially practical where data is transferred within corporate groups.
- Inclusion of obligations from Art. 28 GDPR: the modules that regulate data transfer to processors now also incorporate the data processing agreement required under Art. 28 (3) GDPR. Companies that have entered into SCCs do not require additional data processing agreements, which significantly reduces the administrative overhead. However, a disadvantage of this solution is that in future it will be more difficult for parties to agree custom clauses for order processing, as this would require the SCCs to be amended, which is only permissible if the supplementary clauses do not contradict the SCCs.
- Guidance on TOMs: The data importers should list their respective technical and organizational measures as Annex II to the new SCCs. To that end, Annex II lists 17 sample categories to be specified as technical and organizational measures. This list at least creates greater clarity in terms of which security measures the parties need to implement.
- Disclosure by the controllers: the modules for data transfer from processor to processor require all controllers to be listed in Annex IA. In practice, this would be difficult to implement for technical service providers who have a large and constantly changing roster of customers (and thus controllers).
- Transparency toward data subjects: as regards data transfer between two controllers, the new SCCs require the data importer to provide its identity and contact details to the data subjects either directly or via the data exporter, unless this would entail disproportionate effort. This obligation is likely to impact the data exporter’s data protection notices because in future it will no longer be adequate to specify recipient categories if data is transferred to a third country, but instead the specific recipients with contact details need to be listed.
- Schrems II modifications: as expected, the new SCCs also contain certain clauses that have their likely origin in the standards specified by the ECJ in its Schrems II ruling on data transfers to third countries. These relate in particular to the following provisions:
- a) Assessment of the transfer risk: the new SCCs should only be entered into if the parties conclude that the terms of the SCC can indeed be complied with in the data importer’s country following an extensive review of the respective legal regime. The review should consider in particular the individual circumstances of the transfer, such as the purpose of the processing, the type of personal data, the length of the processing chain as well as the applicable laws of the third country, in particular in respect of the disclosure of data in the context of the right of the state in question or its authorities to request information. Unlike the EDPB recommendations, the SCCs do not refer to the (very strict) European Essential Guarantees for surveillance measures (Recommendation 02/2020) established by the EDPB itself with no additional legislative procedure to ascertain whether the required level of protection is satisfied in the third country, but instead take the principles of Art. 23 GDPR as the benchmark. As long as the laws of the third country respect the essential rights and freedoms of a democracy and do not go beyond what is important and necessary to safeguard the objectives set out in Art. 23 GDPR, the laws of the third country would not be deemed to contradict the SCCs. In this case, the SCCs could be entered into. This assessment will be a litmus test for the lion’s share of data transfers to third countries. This is all the more the case if the test described in the SCCs takes account of the EDPB recommendations, according to which the transfer of non-encrypted data to third countries should only be allowed in a very limited number of cases, even where additional security measures are in place.
- b) Obligation to defend against official inquiries: if the data importer receives a mandatory request to disclose personal data, it should communicate this to the data exporter as soon as possible in accordance with the new SCCs. If such a communication is prohibited by law, the data importer should do its utmost to have this prohibition lifted. Additionally, the data importer should exhaust all available remedies with regard to the request for disclosure, including seeking interim measures. This obligation will mean a heavy burden for the data importer if a request for disclosure is made, and the question of the allocation for costs in mounting such a defense remains open. For that reason, at least some companies might hold back from signing up to the new SCCs in the first instance.
- c) Disclosure obligations to public authorities: If the data importer is no longer able to comply with the stipulations of the SCCs, it must notify the data exporter accordingly, who must then decide whether the data transfer should be discontinued or whether additional data processing measures that would permit the data transfer to continue should be implemented. It is worth noting that under the SCCs, the data exporter is obligated to submit a corresponding report to the competent supervisory authority in both cases.
3. Further procedure
The public consultation for the draft SCCs published by the European Commission will run until December 10, 2020. During this period, feedback on the draft can be submitted via the European Commission homepage. The European Commission will then publish a final draft, which again needs to be approved by the committee pursuant to Art. 93 GDPR (i.e. representatives of all Member States).
Additionally, the EDPB’s opinion also needs to be obtained before the SCCs are finally signed off. The EDPB’s feedback will be especially important because it is expected to explain how the SCCs may be applied in practice taking account of its recommendations for data transfer to third countries.
Because of these additional procedural steps, it is unlikely that the updated SCCs will come into effect any earlier than spring 2021. Even after they have, companies will have a one-year transition period before they need to replace their existing SCCs with the new SCCs – assuming they can be used as the basis for transferring data to a third country at all given the strict recommendations of the EDPB.