Standard Contractual Clauses (SCCs) are a highly relevant transfer mechanism under the EU General Data Protection Regulation (GDPR) used by EU controllers and processors as data exporters for transferring personal data to recipients outside the EU/EEA. SCCs impose a number of data protection obligations on data importers in order to compensate for shortcomings in the data privacy legislation to which the data importer is subject.
Since the “Schrems II” judgment of the Court of Justice of the European Union (CJEU) in July 2020, in which the Court requested data exporters and importers to assess the need for the implementation of “supplementary measures” for each transfer based on SCCs, SCCs have probably become the most discussed topic amongst data privacy scholars and practitioners.
Despite their great practical importance, however, the currently applicable sets of SCCs have not been updated since the GDPR entered into force in May 2018 and were still adopted under its successor, the Data Protection Directive. This is now about to change. Relatively shortly after the “Schrems II” judgment, the European Commission published a new draft of SCCs which is expected to be adopted in April. Therefore, businesses should start reviewing the possibilities and restrictions under the new SCCs to get prepared.
Modular approach
To date, three separate sets of SCCs depending on the respective transfer scenario exist. While two sets cover transfers between controllers (of which the younger EG/2004/619 set is the practically more relevant one), the other set is applicable to transfers from controllers to processors. This situation has been shown to be incomplete, since it did not account for scenarios where personal data is not exported directly by the controller but by its EU based processor, which engages a third-country subcontractor. In such a case, the current SCCs would normally foresee a direct contractual relationship between the controller and the subcontractor which is, however, rarely established in practice. For the sake of convenience in such scenarios, the SCCs are instead routinely concluded between the EU based processor and the subcontractor.
The European Commission has taken the aforementioned problems into account when drafting the new SCCs. It opted for a modular approach that combines separate rules for all potential transfer scenarios in one overall agreement. In particular, new sets for transfers between two processors and even from a processor in the EEA to a third-country controller are included.
A further novelty under the new SCCs is the so-called “docking clause”, which facilitates the formation of multilateral contractual relationships by allowing new parties to accede to an already existing agreement.
Moreover, the new SCCs shall serve, not only as the basis for international data transfers, but also as a data processing agreement as per the meaning of Article 28(7) GDPR. However, in their Joint Opinion 2/2021, the EDPB and EDPS were critical that the different provisions for international data transfers and data processing cannot easily be distinguished and therefore called for clarification.
(Limited) “Schrems II”-readiness
In July 2020, the CJEU’s ruling in “Schrems II” put international data transfers based on SCCs under pressure. According to the Court, data exporters must ensure that data importers are able to guarantee the inviolability of the received data, which primarily depends on the intrusiveness of local surveillance laws and governmental competences to request the access to personal data held in private computer systems.
The new SCCs take account of the “Schrems II” decision and provide for a number of specific safeguards.
- First, the parties must warrant that they have no reasons to believe that the local laws at the location of processing will prevent the data importer from complying with its contractual obligations. In this regard, the SCCs require the data importer and data exporter to conduct a risk-based assessment taking into consideration the specific circumstances of the transfer, including the purpose of the processing, the scale and regularity of the transfers, the nature of the affected personal data, and the parties’ relevant practical experiences with prior instances of requests for governmental data access requests. The parties must document their assessment and revisit it if they observe changes in the relevant legal framework. The assessment must also be provided to supervisory authorities on their request. The current draft does not include any Annex, which could be used as a template for such documentation, but there are rumours that such a document will be added to the final versions of the new SCCs as also requested by the EDPB and EDPS.
- Second, the data importer is obligated to promptly notify the data exporter if it receives a governmental access request or becomes aware of any other surveillance measure. This shall allow the data exporter to take remediating action to minimise the potential privacy impact of such a governmental measure. Moreover, to the extent legally possible, the data importer must challenge governmental access requests.
- Third, if the data exporter comes to the conclusion that the SCCs are not sufficient to adequately safeguard the envisaged data transfer, it shall promptly identify appropriate contractual, technical and organisational measures to ensure the security and confidentiality of the transferred data.
The EDPB and EDPS have criticised the Commission’s approach to the “Schrems II” decision taken in the new SCCs. In particular, they vote for a stricter interpretation of the ruling and doubt whether there is room for a risk-based assessment that takes into account subjective factors such as the parties’ prior experience with governmental data access requests. It remains to be seen in the final version of the new SCCs whether the Commission will hold its position in light of the aforementioned criticism.
Additionally, the EDPB and EDPS criticised the Commission for not having considered cases in which the level of data protection is adequate, but the authorities have not followed the law in practice.
Extended rights of data subjects
Under the new SCCs, the rights of the data subjects will be strengthened. In contrast to the current regime, where data subjects have no direct data subject rights as granted in the GDPR vis-à-vis the data importer, data subjects will be granted direct rights against data importers. The exact extent of these rights will depend on the concrete transfer scenario but in the case of a data transfer between controllers, data subjects may enforce the full range of data subject rights as under the GDPR. This will require data importers to implement processes enabling them to fulfil these rights and is, generally, in favour of processors being subject to a GDPR-like regime as recently updated privacy regulations are increasingly inspired by the GDPR.
This comes along with an extension of the rights of data subjects as third-party beneficiaries who may invoke and enforce the SCCs against the data exporter as well as the data importers, except for such clauses that are clearly targeted to solely regulate the relationship between the data exporter and the data importer.
Liability rules
The new SCCs will introduce a strict liability regime comparable to the liability rules under the GDPR.
Each party shall be liable to the other party (or parties) for any material or non-material damage it causes the other party (or parties) by any breach of the clauses. Moreover, data subjects may claim compensation for material and non-material damages from both the data importer and the data exporter in case of a breach of the clauses by any party. Thus, the parties to the clauses may be jointly and severally liable vis-à-vis data subjects. It is remarkable that in certain scenarios (transfers from controller to processor and from processor to (sub-)processor), the data exporter will even be subjected to a strict liability for breaches of the data importers.
Timeline
The Commission is expected to adopt the new SCCs in the course of April 2021. After coming into force, the new rules will be binding on all data exporters for future data transfers. Consequently, the old sets will become invalid. Regarding ongoing data transfers, it currently looks as if data exporters will be given a one-year transitional period to update their contractual relationships with data importers under the condition that the contractual relationship remains unchanged (except for implementing “supplementary measures” as required by the “Schrems II” decision).