European Commission Publishes Draft Standard Contractual Clauses

On November 12, 2020, the European Commission (“EC”) published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”), along with the draft set of new SCCs (collectively, the “Cross-Border SCCs”).

Greater Flexibility

Unlike the existing sets of SCCs, which apply only to two types of transfers originating in the European Economic Area (“EEA”) (controller-to-controller and controller-to-processor), the proposed Cross-Border SCCs adopt a modular concept that cater to various transfer scenarios and the complexity of modern processing chains:

1. Controller-to-controller transfers;
   
   
2. Controller-to-processor transfers;
   
   
3. Processor-to-processor transfers; and
   
   
4. Processor-to-controller transfers (particularly where the EEA processor combines personal data received from the third country controller with personal data collected in the EEA).

While existing SCCs address the first two of the above scenarios, organizations have struggled with the latter two scenarios for quite some time now (at least since GDPR went into effect), and SCCs that address these may be a welcome addition for these organizations. Furthermore, the EC indicates that a single set of SCCs may be utilized by more than two (2) parties, greatly reducing the number of agreements that organizations need to enter into when onboarding new vendors or service providers (or when they have to replace the existing SCCs with these new Cross-Border SCCs).

New Requirements

The Cross-Border SCCs also contain several new obligations, some of which include:

1. Providing data subjects with a copy of the Cross-Border SCCs upon request and informing them of any change of the (i) purpose and (ii) identity of any third party to whom the personal data will be disclosed.
   
   
2. With regard to any onward transfer by the data importer to a recipient in another third country, ensuring that (i) the recipient accedes to the Cross-Border SCCs; (ii) the protection of personal data transferred is provided by other means; and/or (iii) the data subject gives explicit, informed consent to such transfer.
   
   
3. Describing in more detail the liability between the parties and towards the data subjects and the indemnification obligations between the parties to the transfer.

Article 28 Clauses

Alongside the Cross-Border SCCs, the EC also published draft SCCs between controllers and processors located in the EEA containing clauses a controller can impose on its processor to satisfy the controller’s contractual requirements that the controller is obliged to impose under Article 28 of the GDPR. The use of these Article 28 Clauses will not be compulsory, and businesses may continue to use tailored data processing agreements to satisfy Article 28. 

Addressing Schrems II

The Cross-Border SCCs address the challenges following the Schrems II decision by the European Court of Justice in July 2020. These new SCCs include language that explicitly outline how the data importer is supposed to react if the laws that apply to the data importer interfere with its ability to comply with the clauses, particularly when government authorities issue binding requests for access to personal data. The EC’s draft decision also addresses additional requirements to address the impact of the importing country’s laws on the parties’ contractual commitments, and indicates that these may only be necessary when the data originated in the EEA but not when the controller is the importer and only getting the data it originally sent to the processor for processing. The statement appears to stealthily suggest that the requirements of GDPR may only apply to individuals in the EEA, and not individuals in other countries who interact with companies that are otherwise subject to GDPR. In addition, the decision suggests that these Cross-Border SCCs are applicable when transferring personal data between an entity that is directly subject to the GDPR and an entity that is not directly subject to the GDPR.

Both the EC’s decision and the proposed Cross-Border SCCs describe three ways in which the parties must address the effect of foreign laws on the level of protection provided by the SCCs:

1. There are placeholders for the EDPB recommendations on supplementary measures (The “EDPB Recommendations”).
   
   
2. Some of the supplementary measures described in the EDPB Recommendations  are directly incorporated into the draft decision. Specifically, the decision describes requirements to notify the data exporter and the data subject of legally binding requests for personal data from governmental authorities, where possible, sharing aggregate information on these types of requests at regular intervals, documenting such requests, and challenging such requests when possible.
   
   
3. In a slight divergence from the EDPB Recommendations, the decision recommends that the parties consider “any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” In contrast, the EDPB Recommendations caution against relying “on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards,” although it appears to be more consistent with other areas of the EDPB Recommendations that suggest that the parties should consider the nature of the data and apply the risk based approach that is inherent in the GDPR.

Conclusions

The Cross-Border SCCs are open for public consultation until December 10, 2020. Once approved, these clauses will replace the previous SCCs used by organizations as an appropriate safeguard for making international transfers of personal data under the GDPR. The final SCCs are expected to be adopted in early 2021. Organizations will have twelve (12) months from the date the Cross-Border SCCs enter into force to replace any existing SCCs currently being relied upon to conduct international transfers of personal data with the Cross-Border SCCs. 

However, organizations should begin to understand the scope of its existing SCCs that may need to be revisited as a result of the new SCCs (especially those that more directly address the processor-processor or processor-controller scenarios), and should be prepared for potentially heated discussions when trying to incorporate the details of the additional measures described by the EDPB Recommendations.