Following on from this week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer (EU-based processor to ex-EU processor, and EU-based processor to ex-EU-controller) and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation (GDPR). The draft clauses will be subject to consultation with the EDPB, and there are a few points of potential disagreement between the Commission’s draft and the EDPB’s guidance.
New Transfer Scenarios
The Standard Contractual Clauses approved by the Commission in 2001 and 2010 only addressed two data flow scenarios: an EU-based controller exporting data outside of the EU to other controllers, or to processors. In this new draft, the Commission departs from that approach and addresses a gap which frequently occurred in practice: allowing for EU processors to serve as data exporters to controllers and processors outside of the EU. All of the scenarios permitted by the new contract form are laid out in a series of “modules,” with generally applicable clauses included before and after the more specific sections.
This brings welcomed flexibility, and recognizes the reality that EU-based processors frequently export personal data to non-EU sub-processors (who do not currently have a satisfactory legal mechanism to cover those transfers) and reflects the expanded territorial scope of the GDPR. It creates a pathway for controllers outside of the EU to work with processors located in the EU on projects involving EU data. For example, a U.S. company could retain the services of an EU-based call center to respond to customer queries arising from sales made in the EU. The new SCCs forms for a processor-controller transfer would allow that call center to share customer records with its U.S.-based client. That call center could now also sub-contract its work to an overflow call center outside the EU, using the processor-processor form.
From a structural point of view, the new SCCs also provide a mechanism for additional parties to accede to the clauses as data exporter or data importer – something which is often implemented under the current SCCs by using a wraparound framework data transfer agreement which incorporates the SCCs.
Tension with the EDPB?
Given the timing of the two announcements, it’s impossible to read the Commission’s draft without thinking of the EDPB’s six-step process for evaluating data transfers. There does appear to be some potential disagreement about the approach controllers are expected to take. Both the Commission and the EDPB include a list of factors data importers must consider when determining whether local law allows them to comply with their obligations under the SCCs, but the lists are not the same. The Commission appears to permit data importers to consider the practical likelihood of government access by allowing evaluation of “relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” The EDPB, on the other hand, warned data importers away from “subjective” considerations, including “the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” However, both documents note that the evaluation must include all laws “applicable” to the data importer.
One-Stop (Contract) Shop
The Commission noted that it believes its proposed clauses not only satisfy the requirements of Article 46 (standard contractual clauses for international transfers), but — when used by an EU controller with a processor — also satisfy Article 28. Article 28 details the requirements for controller-processor contracts generally (regardless of whether personal data is exported outside the EEA), and these obligations are often the subject of negotiation between business entities. The Article 28 aspects of the draft SCCs are relatively “bare bones” and may be favored by processors who do not wish to agree to bespoke obligations for each controller they work with. The relatively minimalist approach is somewhat at odds with the approach taken by the EDPB in its recent guidance on controllers and processors (see “New Guidelines on Data Controllers and Processors: Time to Review Data-Processing Agreements”), which stated that while the Article 28 obligations constitute the core content of a data processing agreement, they are not sufficient in themselves and should be supplemented by detailed provisions which set out the respective obligations of controllers and processors. In at least one instance, the draft terms reach “business” issues not usually addressed by regulators, and apportion the cost for data protection audits between the parties. The Commission’s note does indicate that use of the SCCs for Article 28 purposes is not required and the parties can supplement these provisions with additional terms.
Where Do We Go From Here?
The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. The feedback received during this process could lead to further changes to the structure and content of the documents. Once in final form, the decision and clauses will need to be formally adopted by the Commission to be effective and available to companies for use. Fortunately, the draft Commission decision provides a one year transitional period. Existing contracts using the old SCC forms will remain effective during this period, provided the contract is otherwise unchanged. Once contracts are revised or updated, however, the new clauses should be implemented. While this is helpful breathing space, this week’s combined developments mean that international data transfers will be high on the compliance agenda for the remainder of 2020 and a key priority for 2021.
Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.
View the draft Standard Contractual Clauses.