European Commission Publishes Draft Standard Contractual Clauses

07 December 2020 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Aaron K. Tantleff Jennifer L. Urban Steven M. Millendorf Samuel D. Goldstick Aaron T. Maguregui

On November 12, 2020, the European Commission (“EC”) published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”), along with the draft set of new SCCs (collectively, the “Cross-Border SCCs”).

Greater Flexibility

Unlike the existing sets of SCCs, which apply only to two types of transfers originating in the European Economic Area (“EEA”) (controller-to-controller and controller-to-processor), the proposed Cross-Border SCCs adopt a modular concept that cater to various transfer scenarios and the complexity of modern processing chains:

  1. Controller-to-controller transfers;

  2. Controller-to-processor transfers;

  3. Processor-to-processor transfers; and

  4. Processor-to-controller transfers (particularly where the EEA processor combines personal data received from the third country controller with personal data collected in the EEA).

While existing SCCs address the first two of the above scenarios, organizations have struggled with the latter two scenarios for quite some time now (at least since GDPR went into effect), and SCCs that address these may be a welcome addition for these organizations. Furthermore, the EC indicates that a single set of SCCs may be utilized by more than two (2) parties, greatly reducing the number of agreements that organizations need to enter into when onboarding new vendors or service providers (or when they have to replace the existing SCCs with these new Cross-Border SCCs).

New Requirements

The Cross-Border SCCs also contain several new obligations, some of which include:

  1. Providing data subjects with a copy of the Cross-Border SCCs upon request and informing them of any change of the (i) purpose and (ii) identity of any third party to whom the personal data will be disclosed.

  2. With regard to any onward transfer by the data importer to a recipient in another third country, ensuring that (i) the recipient accedes to the Cross-Border SCCs; (ii) the protection of personal data transferred is provided by other means; and/or (iii) the data subject gives explicit, informed consent to such transfer.

  3. Describing in more detail the liability between the parties and towards the data subjects and the indemnification obligations between the parties to the transfer.

Article 28 Clauses

Alongside the Cross-Border SCCs, the EC also published draft SCCs between controllers and processors located in the EEA containing clauses a controller can impose on its processor to satisfy the controller’s contractual requirements that the controller is obliged to impose under Article 28 of the GDPR. The use of these Article 28 Clauses will not be compulsory, and businesses may continue to use tailored data processing agreements to satisfy Article 28. 

Addressing Schrems II

The Cross-Border SCCs address the challenges following the Schrems II decision by the European Court of Justice in July 2020. These new SCCs include language that explicitly outline how the data importer is supposed to react if the laws that apply to the data importer interfere with its ability to comply with the clauses, particularly when government authorities issue binding requests for access to personal data. The EC’s draft decision also addresses additional requirements to address the impact of the importing country’s laws on the parties’ contractual commitments, and indicates that these may only be necessary when the data originated in the EEA but not when the controller is the importer and only getting the data it originally sent to the processor for processing. The statement appears to stealthily suggest that the requirements of GDPR may only apply to individuals in the EEA, and not individuals in other countries who interact with companies that are otherwise subject to GDPR. In addition, the decision suggests that these Cross-Border SCCs are applicable when transferring personal data between an entity that is directly subject to the GDPR and an entity that is not directly subject to the GDPR.

Both the EC’s decision and the proposed Cross-Border SCCs describe three ways in which the parties must address the effect of foreign laws on the level of protection provided by the SCCs:

  1. There are placeholders for the EDPB recommendations on supplementary measures (The “EDPB Recommendations”).

  2. Some of the supplementary measures described in the EDPB Recommendations  are directly incorporated into the draft decision. Specifically, the decision describes requirements to notify the data exporter and the data subject of legally binding requests for personal data from governmental authorities, where possible, sharing aggregate information on these types of requests at regular intervals, documenting such requests, and challenging such requests when possible.

  3. In a slight divergence from the EDPB Recommendations, the decision recommends that the parties consider “any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” In contrast, the EDPB Recommendations caution against relying “on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards,” although it appears to be more consistent with other areas of the EDPB Recommendations that suggest that the parties should consider the nature of the data and apply the risk based approach that is inherent in the GDPR.

Conclusions

The Cross-Border SCCs are open for public consultation until December 10, 2020. Once approved, these clauses will replace the previous SCCs used by organizations as an appropriate safeguard for making international transfers of personal data under the GDPR. The final SCCs are expected to be adopted in early 2021. Organizations will have twelve (12) months from the date the Cross-Border SCCs enter into force to replace any existing SCCs currently being relied upon to conduct international transfers of personal data with the Cross-Border SCCs. 

However, organizations should begin to understand the scope of its existing SCCs that may need to be revisited as a result of the new SCCs (especially those that more directly address the processor-processor or processor-controller scenarios), and should be prepared for potentially heated discussions when trying to incorporate the details of the additional measures described by the EDPB Recommendations. 

For questions or additional information on this topic, please contact any of the authors or your Foley relationship partner. 
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services

Insights

IMMEX Highlights –REMINDER of deadline for filing the Annual Operations Report
20 April 2021
Dashboard Insights
Foley Weekly Automotive Report
20 April 2021
Dashboard Insights
Podcast Episode 44: Mike Lappin, Of Counsel
20 April 2021
Foley Career Perspectives
There’s a New Sheriff in Town – OSHA Is Getting Serious About COVID-19 Fines
19 April 2021
Labor & Employment Law Perspectives
2021 AANP National Conference
15 June - 31 August 2021
Virtual Conference
HCCA Orange County Regional Healthcare Compliance Conference
11 June 2021
Virtual Conference
Rx Pricing and Reimbursement Summit
24-25 May 2021
Virtual Conference
The Comeback: Sports in a Worldwide Pandemic (Series)
12 May 2021
Webinar