Last week, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) published a joint opinion on the European Commission’s (“EC”) proposed new set of Standard Contractual Clauses for transferring personal data to non-EU countries (“draft SCCs”). The ball is now in the EC’s court to consider the joint opinion, as well as the roughly 150 comments it received on the draft SCCs, and decide whether to implement any changes.
This post describes some of the notable new aspects of the draft SCCs and highlights the areas of the draft SCCs that the EDPB and EDPS have identified as requiring improvement or further clarification. We’ll provide some impressions about the divergences between the draft SCCs and the EDPB-promulgated guidance documents, and share some thoughts on what to do next.
How Did We Get Here?
There has been a lot of movement on the draft SCCs in the past few months, so to briefly recap: Last November, the EDPB issued its guidance on supplementary measures to address the CJEU’s Schrems II ruling. In case you missed it, our post on that EDPB guidance can be found here. Two days later the European Commission published its draft Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, proposing the new draft SCCs and seeking public comment. In response, the EDPB and EDPS issued a Joint Opinion (the “Joint Opinion”) on the draft SCCs, offering feedback and proposing revisions to better align the draft SCCs with GDPR and the EDPB’s previously-issued guidance.
What’s new about the SCCs?
The new draft SCCs reflect a major overhaul of the “old” (read: “current”) SCCs, which were adopted in 2001 and 2004 (controller-to-controller clauses) and 2010 (controller-to-processor clauses). To the bewilderment of many privacy lawyers, the SCCs had never been revised to account for GDPR, so it was high time for an update.
Overall, as compared to the old SCCs, the requirements for both importers and exporters in the draft SCCs are more substantial and require significantly more tailoring to the individual aspects of the transfer. Some of the notable changes reflected in the draft SCCs include:
- A revised modular format. Unlike the current SCCs, which offer only two options to describe the relationship between the parties (controller-to-controller and controller-to-processor), the draft SCCs implement a modular format that provides the parties more flexibility to define their relationship, including new modules to also capture processor-to-processor and processor-to-controller transfers.
- New representations regarding the impact of local laws. To account for the CJEU’s mandate in Schrems II, all four modules of the draft SCCs require the parties to warrant “that they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under [the draft SCCs].” Importantly, the draft SCCs state that in making that warranty, the parties must “carry out an assessment” of (among other things): “the specific circumstances of the transfer; . . . the nature of the personal data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred.”
- New obligations on data importers in the case of government access requests. Also intended to address the Schrems II decision, all four modules of the draft SCCs impose specific obligations on data importers if they receive a request by a public authority for the personal data transferred under the SCCs. In particular, the draft SCCs require importers to (among other things) notify the exporter of the request or, if such notification is prohibited by law, the data importer must “use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible.” In addition, the draft SCCs require the data importer to provide the data exporter with regular updates, for the duration of the contract, about requests received from public authorities.
Areas for improvement, according to the Joint Opinion
In their Joint Opinion, the EDPB and EDPS proposed some significant revisions to, or requested clarification on, at least 20 clauses in the draft SCCs. Among the more noteworthy revisions and requests:
- Clarify the scope of the SCCs. The EC’s decision implementing the draft SCCs states that the SCCs are considered to provide appropriate safeguards “for the transfer of personal data from a controller or processor subject to [GDPR] to a controller or (sub-) processor not subject to [GDPR].” That language at least arguably implies that transfers to a controller or processor that is located outside the EU, but covered by GDPR via Article 3(2) (extraterritorial scope), are not “transfers” for which GDPR would require a transfer mechanism. The EPDB and EDPS are apparently not comfortable with that implication: In response, the Joint Opinion requests the EC to clarify that the scope of its decision is limited to the application and scope of SCCs themselves, and is not intended to define the entire “notion of transfers” as that term is used in GDPR.
- Broaden data subject rights as third party beneficiaries. The draft SCCs state that data subjects may, as third party beneficiaries to the SCCs, invoke and enforce the clauses of the SCCs against both the data exporter and the data importer, subject to several enumerated exceptions. The Joint Opinion proposes that the EC delete a number of clauses from the list of exceptions—thus making those clauses enforceable by data subjects against data importers, including those covering non-compliance with sub-processing commitments, the data importer’s agreement to cooperate with the supervisory authority, and the data importer’s obligation to inform the data exporter if it cannot comply with the SCCs.
- Enhance obligations regarding onward transfers. The Joint Opinion proposes that the EC add several additional obligations to the draft SCCs to ensure onward transfers do not harm data subjects’ rights. In particular, the Joint Opinion proposes adding an obligation for the data importer to notify the data exporter of any onward transfers, and a requirement that the data importer provide a copy of the safeguards implemented for an onward transfer to the data subject upon request.
- Remove subjective factors from the assessment of third country laws. In describing the factors that the parties should consider as part of their assessment regarding the effect of local laws on the data importer’s ability to comply with the SCCs, the draft SCCs include (among other factors): “any relevant practice experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred.” In response, the Joint Opinion stresses that such “subjective factors” should not be considered as part of the assessment. The Joint Opinion states: “the assessment . . . should be based on objective factors, regardless of the likelihood of access to the personal data.” The Joint Opinion reiterates the seven “objective factors” set out by the EDPB in its guidance on Schrems II, and points out that the EC’s current permission to analyze subjective factors like “likelihood of access to personal data” could be misunderstood to permit data to be exported if the data importer has simply not yet received any order to disclose personal data, despite being subject to local laws permitting such orders.
Piecing things together
At this point, the SCCs look like an unfinished puzzle—we know roughly how they will look in the end, but the details still aren’t fully clear. For example, we know that the new SCCs will better-encompass the gamut of GDPR-covered processing relationships, align with the requirements of GDPR, and accommodate more complex multi-party processing relationships. There are, however, still some areas of uncertainty. In particular, the transfer assessment contemplated by the draft SCCs diverges significantly from the transfer assessment contemplated by the EDPB-promulgated documents (the Schrems II guidance and Joint Opinion) in that the former permits consideration of subjective factors while the latter prefers to prohibit the same.
What should we do now?
Savvy practitioners (like those who have made it this far in this post) are likely considering what they can and should do now to anticipate future implementation of the draft SCCs. We have some advice:
- Don’t start monkeying with your current SCCs. To the extent you have clients that are entering into the current SCCs to support new transfers of personal data, don’t attempt to supplement the current SCCs to future-proof them for the new SCCs. Not only are the draft SCCs still unfinalized, but as this post demonstrates, there are some key substantive issues that have yet to be resolved. Additionally, under the draft SCCs, businesses will have twelve months from the date the new SCCs become effective to replace any existing SCCs that the business is relying upon to conduct transfers to third countries. Rest assured, there will be plenty of time for monkeying later.
- But do set expectations that the new SCCs won’t be “plug and play.” At this point in the drafting process, it is clear that companies interested in transferring personal data from the EU to a third country will be unable to simply rely on their copy and paste skills to implement the SCCs. The new SCCs will be highly particularized to the circumstances of each transfer, and may require revisions throughout the life cycle of the contract, as the draft SCCs contemplate accession of additional parties via a new “Docking Clause.” In addition, the parties will have to engage in a multi-faceted transfer assessment, including documentation requirements.
- And remember that supplementary measures may still be required. Despite the many added protections that are incorporated into the draft SCCs, remember that the SCCs still will not, on their own, ensure an “essentially equivalent” level of data protection for certain transfers—particularly transfers to the U.S. As the CJEU noted in Schrems II: “Since by their inherently contractual nature standard data protection clauses cannot bind the public authorities of third countries . . . it may prove necessary to supplement the guarantees contained in those standard data protection clauses.”
In sum, there is still a lot to unpack regarding the new SCCs and the effect of Schrems II. U.S.-based companies subject to GDPR based on Art. 3(2) will be particularly interested in whether their collection of personal data directly constitutes a “transfer” pursuant to GDPR Chapter 5—an issue which the Joint Opinion raises but doesn’t resolve. We’ll dive into that topic in a future blog post. For now, we will be on the lookout for the EC’s response to the Joint Opinion.