The dust has settled on the new EU standard contractual clauses for cross-border data transfers (“New SCCs”), but confusion still reigns on how the New SCCs cover data transfers and what companies need to do to take advantage of them and comply with regulatory implementation guidance, including in relation to Transfer Impact Assessments (“TIAs”). In this post, we explore some of the key requirements and provide key takeaways for businesses regarding the New SCCs. We also cover the recent public consultation on data transfers launched by the UK Information Commissioner’s Office (“ICO”), which includes new, UK-specific data transfer clauses, a UK addendum to the New SCCs and a proposed TIA tool.
THE NEW SCCS AND THE EDPB RECOMMENDATIONS
There are two documents that represent the universe of the New SCCs and implementing guidance:
- On 4 June 2021, the European Commission (“Commission”) published the final version of the New SCCs (available here).
- On 18 June 2021, the European Data Protection Board (“EDPB”) adopted the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure alignment with the level of protection of personal data in the EEA (“Final Recommendations”).
WHAT IS NEW?
The New SCCs are a welcome upgrade from the “old” SCCs as they provide a solution for two shortcomings of the old SCCs:
- They provide a mechanism for (i) transfers from processors to sub-processors with operations outside of the EU (for example, a contract research organization in the EU that provides services to a U.S.-based sponsor and sends data to U.S.-based analytics company, or an EU-based CRM software provider that stores data in a U.S.-based cloud platform), and (ii) transfers from processors in Europe to controllers (for example an EU-based marketing agency that works for a U.S. brand that collects data about European consumers). The old SCCs did not cater for these transfer scenarios, often leaving data exporters with limited or no means to legitimize those types of transfers.
- They no longer require the data exporter to be located in Europe. This means that non-EU controllers can enter into the New SCCs with their processors, and non-EU processors can enter into the New SCCs with their sub-processors.
In addition, the New SCCs offer a pragmatic solution for companies seeking to comply with the TIA requirement mandated by the Court of Justice of the EU (“CJEU”) in Schrems II. Specifically, the New SCCs and the Final Recommendations explicitly acknowledge that TIAs can take into account the data importer’s actual experience with government access requests. This will come as a relief to businesses that may otherwise have been severely restricted by the EDPB’s original view that subjective experience-based considerations could not form part of the risk analysis (discussed in our article here).
We unpack the New SCCs key requirements below.
The New SCCs have a modular structure, comprising four sets of clauses that apply specifically to the different transfer scenarios, namely, controller-to-controller transfers (“C2C”); controller-to-processor transfers (“C2P”); processor-to-processor transfers (“P2P”); and processor-to-controller transfers (“P2C”). Businesses will need to select the module that applies to their intended transfers and only use the applicable clauses specific to the module. Below, we outline some of the key features of each module.
Module One (C2C)
This module imposes key GDPR data protection obligations on the data importer, including obligations to only process transferred data for the specified purposes set out in the relevant annexes of the New SCCs and limit retention of data to what is necessary for the relevant purpose. Data importers will now need to notify data subjects of the processing of their personal data (either directly or via the data exporter), including categories of data processed, third party recipients (together with the purposes of the onward transfer), the safeguard relied on for the onward transfer, and the right to obtain a copy of the New SCCs. The data importer is also required to notify the data exporter and data protection authorities of data breaches without undue delay.
These obligations will be new to many data importers that are not directly subject to the GDPR. Data importers will need to implement the New SCCs’ obligations into their business processes and privacy policies, and delineate consumer-facing responsibilities with the data exporter.
Module Two (C2P)
This module incorporates the contractual requirements of Article 28 of the GDPR between controllers and processors. Controllers and processors, or processors and sub-processors, that enter into the New SCCs will no longer be required to enter into separate data processing terms. Whilst this is a seemingly sensible move, not everyone will welcome this development. The New SCCs cannot be modified (except to select the appropriate module(s) or to add or update the description of processing applicable to the transfer), so generous interpretations of the Article 28 requirements adopted by certain large processors through their data transfer agreements, such as limiting audit rights or sub-processing consents, have been overruled. That said, we still expect to see attempts to incorporate data processing terms to clarify certain “unfavorable” terms in the New SCCs.
Module Three (P2P)
As with Module Two, this module integrates the GDPR Article 28 requirements for data processing contracts. In addition the module imposes certain direct obligation on sub-processors to the controllers; for example, notifying the controller of personal data breaches “where appropriate and feasible” and promptly addressing inquiries from the controllers.
Module Four (P2C)
The module applies to transfers from a processor in the EEA to its controller outside of the EEA (see the use case above) and reflects the provisions of GDPR Article 28 directly applicable to the EEA-based processor. The processor has an obligation to inform the controller if the controller’s instructions infringe EU data protection law, and the controller is required to refrain from any actions that would prevent the processor from complying with its GDPR obligations.
The New SCCs allow for additional parties to be added to the SCCs at a later date (a so-called “docking clause”), either as a data exporter or as a data importer. The old SCCs did not contemplate a means to add additional parties so businesses have created their own structures to allow for new parties to adhere to the old SCCs over time. The New SCCs better cater for transfers involving multiple parties, for example in the context of intra-group transfers where new entities may be acquired.
TRANSFER IMPACT ASSESSMENT
Following the Schrems II decision and the Final Recommendations, the New SCCs require businesses (in all transfer scenarios) to conduct and document TIAs.
In practice, we expect that there will be at least two ways in which companies address the TIA requirements. Some data exporters will include TIA-like questions as part of their diligence of counterparties/data importers in the U.S. and other third countries. We also expect some data importers will prepare their own TIA analyses that they will offer to their counterparties/data exporters to smooth the contracting path.
While the TIA process is complex and virtually impossible to complete in a way that removes all risk, importers and exporters are incentivized to resolve TIAs favorably. Presumably, the parties engage in a commercial relationship that is mutually beneficial and often necessary, and are likely to be reasonable in solving a variety of compliance issues — including around data protection.
The ambiguity of TIAs also means that it will be hard for regulators to take enforcement actions where the parties document their decision-making process and reach reasonable conclusions within the TIA. All in all, commercial necessities are likely to heavily influence the TIA process, and the TIA process is likely to drive more awareness of transfers and data minimization, and to improve privacy compliance overall.
The TIA process has some dead ends — like the requirement to account for all onward transfers. This means that if an exporter transfers data to a U.S. importer and the importer relies on vendors in India, China, Philippines, Singapore and other countries that are not deemed adequate by the European Commission, the TIA has to account for the legal regime in every one of those countries and not just the U.S. This could easily turn any TIA into a 50-country survey and this type of a TIA will be much weaker when accounting for countries with due process protections that are not as robust as in the U.S. We need to wait and see on how this challenge will play out in practice — hopefully through reasonable limitations on the depth of the TIA, again driven by the data exporter’s and importer’s pragmatism.
Here’s what a TIA should include:
- Details of the transfer, including its purpose, the recipient entity type and industry sector, personal data categories, data storage location and format (e.g., plain text/pseudonymized or encrypted), and transfer mechanism used (e.g., the New SCCs).
- A description of all actors involved in the transfer, including onward transfers, so taking into account controllers, processors and sub-processors (see the challenges outlined above).
- An assessment of the foreign surveillance laws and practices and their impact on the data transfer; specifically, the TIA needs to check that local laws and practices in the third country do not override the protections that the chosen transfer mechanism (e.g., the New SCCs) contains.
- An assessment of additional protections available (taking into account the supplemental technical, organizational and contractual measures set out in the Final Recommendations — see in particular their Annex 2) to secure the positive outcome of the TIA.
PUBLIC AUTHORITIES’ REQUESTS FOR DATA
The New SCCs include detailed provisions around the steps the data importer (in all transfer scenarios) should take in cases where it receives a request for disclosure from a public authority. Such steps include, for example, (i) where possible, notifying the data exporter of the request (this notification obligation also applies where the data importer becomes aware of any direct access to the data by public authorities); (ii) providing the data exporter with “aggregate information at regular intervals” about the requests; (iii) documenting the request and response; (iv) challenging the request where the data importer concludes there are reasonable grounds to consider it unlawful; and (iv) providing only the minimum information necessary to comply with any request.
Moreover, as with the old SCCs, the data importer must notify the data exporter if it believes it is no longer able to comply with the New SCCs — in which case, the data exporter may suspend and/or terminate the New SCCs unless appropriate measures can be taken to remedy this risk.
The New SCCs introduce strict controls over onward transfers from the data importer to another non-EEA based entity (in the same country as the data importer or in another jurisdiction). Except in certain limited specific situations (which differ depending on the relevant module), these transfers are only permitted where the third party accedes to the appropriate module the SCCs.
Where the data importer (processor) intends to transfer personal data to its sub-processors, the subject matter, nature and duration of those sub-processor transfers will need to be listed in the New SCCs with the data exporter. This will require data importers to provide transparency about their entire data processing chain, looking beyond just the immediate transfers to onward transfers, to ensure that chain is reflected in the New SCCs and that the obligations under the New SCCs flow-down appropriately. In practice, many processors will rely on their standard sub-processor lists, which typically provide customers with the type of information that the New SCCs require. However, businesses that have not already undertaken data mapping exercises with respect to their sub-processing chain should prepare for the New SCCs (such as creating standard lists of sub-processors used in relation to the specific transfers, which can be added to the description of transfer required by the New SCCs).
DATA IMPORTERS SUBJECT TO THE GDPR ARE NOT COVERED
The big surprise of the New SCCs is found in Recital 7, which provides that the New SCCs can only be used to legitimize transfers of personal data where the data importer is not subject to the GDPR. This provision has raised several questions about the Commission’s intentions, with much buzz about the possibility that a transfer to a data importer already required to comply with the GDPR is not a “restricted transfer” regulated by Chapter V of the GDPR. While the EDPS and EDPB highlighted this ambiguity in their Joint Opinion on the draft New SCCs (discussed in our prior article on the topic), the Commission has not clarified the issue in the New SCCs, and the Final Recommendations do not shed light on this point. The EDPB is expected to issue further guidance on the interplay between the GDPR territorial scope and the GDPR’s rules on international transfers. It is imperative that this matter is clarified urgently given a large number of data transfers are ostensibly unable to rely on the New SCCs.
In the UK, the ICO’s consultation paper on the UK SCCs (discussed below) includes a specific consultation question on this point — it asks whether a transfer to an importer outside the UK constitutes a “restricted transfer” within the meaning of the UK GDPR where the UK GDPR applies to the importer. In the consultation paper, the ICO proposes to take the position that there is a “restricted transfer” whenever the exporter is subject to the UK GDPR and the importer is located outside the UK (regardless of whether the importer is itself subject to the UK GDPR). If the position is taken, it appears that the parties will still be able to rely on the UK SCCs for the transfer. However, the ICO has stated that it is further assessing this key point in the context of the public consultation process. The UK Government is also looking into assessing the U.S. as an adequate country; this would create an interesting transfer dynamic between the UK, the U.S. and the EU.
The New SCCs entered into force on 27 June 2021. Businesses can continue using the old SCCs for new contracts over a transition period of three months (until 27 September 2021). This transition period will be vital for data importers who need to focus on developing their TIAs and bringing their data transfer chain in line with the New SCCs. Businesses having entered, or entering, into the old SCCs before 27 September 2021 will be able to rely on them for a transition period ending 27 December 2022 (i.e., 18 months from being in force), after which existing contracts will need to be updated to include the new SCCs — however, if the processing operations change, the New SCCs should be used from that point on.
THE ICO’S CONSULTATION ON THE UK SCCS
The New SCCs are not applicable in the UK, but businesses can keep using the old SCCs until replaced by the ICO. On 11 August 2021 the ICO launched a highly anticipated consultation on data transfers, including on (i) a UK-specific international data transfer agreement (“UK SCCs”), which, once approved, will replace the old SCCs in the UK, (ii) a template TIA that businesses could use to meet the Schrems II requirements for a TIA, and (iii) changes to existing ICO’s guidance on data transfers.
The unwelcome news is that the UK SCCs deviate from the New SCCs in some respects (for example, they don’t have a modular structure — it is just one agreement — and they require a an annual review of the agreement and TIAs). The good news is that the ICO is also proposing to approve a UK addendum to the New SCCs. If approved, the UK addendum would allow to use the New SCCs for UK data exports. This would significantly reduce complexities for those multinational businesses who are struggling with the idea of implementing two different sets of SCCs for the EU and the UK. The consultation also seeks views on whether UK addenda should be approved to fit with other international SCCs, such as those issued by New Zealand and the Association of Southeast Asian Nations.
The Commission’s adequacy ruling for the UK, which comes with a warning that the UK’s continued compliance with GDPR principles will be closely watched, means the ICO must be cautious about exercising its newfound freedoms.
The consultation is open until 7 October 2021 and instructions on how to submit responses are included on the ICO’s consultation page. Please let us know if you wish to discuss the consultation, or any comments you intend to include in your submission to the ICO or through Goodwin.