European Commission publishes proposed replacement Standard Contractual Clauses

By Ruth Boardman

11-2020

On 12 November 2020, the European Commission published a draft Implementing Decision on new standard contractual clauses for the transfer of personal data to third countries (Clauses).  The Clauses try to reflect what is required under the Schrems II judgement and also to help those transferring data incorporate safeguards for data transfers which go above and beyond the current SCCs. They also address known deficiencies in the current SCCs – catering for data transfers by EU processors to sub-processors and from EU processors back to their instructing controller. The Commission has tackled a difficult topic with skill and insight and has introduced significant improvements to the current SCCs. There will, however, be a significant job for parties to move to the new Clauses – in order to resign agreements, provide enhanced transparency to data subjects and to flow down new terms to third parties and sub-processors. The Clauses propose allowing a one year transition period for this to be done. The Clauses are open for consultation until 10th December 2020.  

Heavy influence of Schrems II

The Clauses are drafted to take account of, and work, with the Schrems II judgment. As one would expect, the draft Implementing Decision refers extensively to the judgment and also to the EDPB’s (draft) Recommendations on measures that can be used to supplement data transfer tools.  

The Clauses retain the principles in the current standard contractual clauses (“SCCs”), which were considered positively by the CJEU in Schrems II, and which were the basis for the CJEU’s decision that the SCCs should remain valid. These principles are: an obligation on the data exporter (assisted by the importer) to consider the level of protection of personal data in the third country; an obligation on the data importer to notify the data exporter of any inability on the part of the importer to comply with SCCs; and a corresponding obligation on the exporter to suspend data transfers, terminate the agreement, or to notify the supervisory authority if it continues to transfer personal data having received such a notice. 

The new Clauses incorporate further elements from Schrems II. In particular, the data exporter is required to document the transfer impact assessment which it carries out and to make this available to the competent supervisory authority on request (Section II.2(d)). The Clauses set out the factors that the data exporter must consider in a transfer impact assessment. In addition to considering the law and practice in the third country, the draft Clauses also helpfully reference i.a. the duration of the contract; scale and regularity of transfers; length of processing chain and transmission channel used; type of recipient; purpose of the transfer and the nature of the data transferred. 

The new Clauses also include stronger commitments on the data importer vis a vis attempts by public authorities in the third country to access EU originating personal data. The data importer must – where possible- notify both data exporter and data subject that it has received a request by a public authority to access such data; it must assess the legality of any such order by reference to the law in force in the third country and, where it considers it has grounds to challenge the order, it must do so; where possible it must seek an interim measure to suspend any requirement to disclose data while the challenge is pending; it must also disclose the minimum amount of personal data reasonably possible in response to an order. The importer must document these requests and the steps it follows and make these available to the exporter. It must also prepare a transparency report (i.e. more general information about the nature of requests received).  Readers may recognise these obligations – they are included in the EDPB’s draft Recommendations.  The Commission has not included all of the EDPB’s suggested supplementary measures: in particular, the suggestions relating to “warrant canaries” and “no-backdoor warranties” have not been included. The requirement in the Clauses that the importer should document requests and make documents available to the exporter can be found in the EDPB’s list of organisational measures; as can the requirement that a processor importer should apply access controls to personal data strictly, only allowing access to personal data where strictly necessary to perform or manage the contract.  The annex of technical measures could also include references to encryption or pseudonymisation; again, methods recommended in suitable cases by the EDPB. These new provisions will increase the likelihood that, in appropriate cases, a data exporter will be able to use the Clauses to undertake transfers without needing to put in place additional safeguards.

Where additional safeguards are needed, then the Commission strengthens the role to be played by supervisory authorities. If a data exporter has reason to believe that a data importer cannot fulfil its obligations under the Clauses, either because the importer has notified of this, or because it has reached this conclusion itself, then the data exporter may only continue transferring personal data if it puts in place additional safeguards; however, if a data exporter takes this approach, it must notify the supervisory authority of this, and must provide full detail of the safeguards adopted for review by the supervisory authority.

What happens to existing SCCs?

The draft Implementing Decision provides a one year sunset period for parties to put the new Clauses in place. During this period, transfers can continue to be made on the basis of existing SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the sunset provision and must move to the new Clauses. If parties change existing contracts in order to introduce additional safeguards – as required by Schrems II and the EDPB Recommendation – then they can still benefit from the sunset provision.

Implementing the new Clauses will take significant effort – both because of the requirements associated with documenting transfer impact assessments, also because of the requirements to provide enhanced information to data subjects (see below) and to flow-down the same terms to third parties/ sub-processors if there are onward transfers. 

The new Clauses fix known gaps

The current SCCs can only be used by data exporters in the EU which are controllers. This means that there are no approved standard contractual clauses which can be used when a processor in the EU transfers personal data to a sub-processor outside the EU (thus putting EU processors at a disadvantage compared to non-EU processors), or when a processor in the EU returns personal data to the controller on whose behalf it is processing the personal data. There are also no approved clauses for use by data exporters which are subject to the GDPR but which are not established in the EU. 

The new Clauses address these gaps, with content for use in controller to controller, controller to processor, processor to sub-processor and processor to controller situations. They also expressly state that they can be used by parties which are not established in the EU.  

The new Clauses are also designed to be used by multiple parties and to allow for change over time by including arrangements for new parties to accede to them via a -perhaps StarTrek inspired – “docking clause”. 

The new Clauses impose GDPR-like obligations on data importers

The existing controller to controller SCCs require the controller importer to agree to follow data protection principles based on those set out in Directive 95/46. The Clauses include some new obligations in line with GDPR. The controller importer has to agree to transparency obligations, with an emphasis on clear and plain language, as in Art.12 GDPR. Access, erasure and rights to object to processing for direct marketing are also included.  One of the innovations of GDPR was to include an accountability principle and both controllers and processors have to agree to demonstrate their compliance with the Clauses; processors also have to keep records of the processing which they carry out on behalf of the controller. 

However, the Clauses do not seek to impose obligations which are identical to those in GDPR. Controller importers do not have to agree to implement portability or restriction and restrictions on automated individual decision making remain closer to those in Directive 95/46 (with an emphasis on safeguards and a right to object) rather than those in GDPR. Similarly, the Clauses are not (generally) prescriptive as to how accountability is achieved – so the specific provisions in GDPR relating to records of processing activity and data protection impact assessments are not included.

What could the Clauses do better?

There can often be uncertainty as to what extent parties can introduce supplemental terms without falling foul of the prohibition on contradicting provisions in the SCCs. The Commission has tried to make clear that additional clauses can be used, so long as they do not contradict the Clauses or undermine protections for individuals. However, this is an area where uncertainty is likely to remain. While there is uncertainty around this, it will make using the Clauses more complex than it need be and will divert attention away from substantive matters towards constant rounds of signatures. By way of example one supervisory authority has expressed concerns to the authors that even the seemingly uncontroversial change of adding a counterparts clause, allowing parties to sign separate physical documents, could invalidate the SCCs. It would be helpful if the Commission could do more to reduce this uncertainty – by including more optional clauses and by making clear that clauses which are concerned with process, rather than substance, do not contradict the clauses.

Where an EU controller transfers personal data to a non-EU controller, then the Clauses introduce onerous transparency obligations. The importing controller must notify the data subject of all data transfers that it intends to make to third parties – including identifying the third party and the purpose of transfer.  Where an EU processor transfers personal data to a non-EU processor, then the Clauses require that the importer provider notices and assistance direct to the controller, rather than leaving this for the exporting processor to manage. By way of example, if the importing processor wishes to appoint sub-processors, then it must provide notice of this to the ultimate controller. It is likely that the exporter will already be including the importer’s sub-processors in its list of approved sub-processors, which are already notified to the controller under Art.28 GDPR. This could easily lead to duplication and confusion.

The docking clause concept, to allow for new parties to join, is helpful. However, the mechanism by which new parties join is not clear. The Clauses say that the new party may accede by completing a new data transfer Annex, “by agreement of the Parties”. It is not clear how the existing parties would give agreement – any mechanism which requires multiple existing parties to sign agreement will quickly become unwieldy and undermine the welcome flexibility which this introduces. It would be helpful if the Implementing Decision noted that it is for the parties to determine, at the outset, how this agreement may be documented – thus allowing solutions to be used which best fit the circumstances.  The Clauses provide that, from the date of accession, the new party shall have the rights and obligations of a data exporter or importer, as applicable. From a good drafting perspective, the Clauses should also state that the parties transferring data to, or receiving data from the new party shall undertake the obligations of data importer or data exporter, as applicable, in relation to the new party.  We have also notice a small number of other drafting glitches, some of which are flagged in the table below. 

Where the Clauses cover transfers to a processor, or sub-processor, they inevitably cover the same ground as Art.28 data processing agreements. This will lead to potential duplication or inconsistency. The Clauses address this by containing a hierarchy provision – which states that, in the event of any conflict with other agreements covering the same subject matter, the Clauses will prevail. There will inevitably be questions over this. By way of example, the Clauses follow GDPR in requiring that a processor provide notice of a personal data breach “without undue delay”; a data processing agreement may stipulate a precise time period. In this example, there is probably a good argument that a more precise period is not in conflict (unless the period would involve undue delay), but one can imagine the kind of debate that will arise on this. There is no easy way of addressing this – and the Commission proposal seems a good way forward to us, providing certainty without overriding all previous terms which have been put in place. However, this will no doubt be an area where comments are made during the consultation process.

What do the new Clauses look like?

Because the new Clauses address C2C, C2P, P2P and P2C transfers, they look very different to the current SCCs – where there are separate, free-standing,  agreements for each type of data transfer. The new Clauses contain certain content which is applicable to all situations – for example, introductory provisions, provisions on non-compliance and termination. They also contain modular content which is only applicable to that specific type of transfer (C2C, C2P, P2P or P2C).  As a result they feel very different to the current SCCs – practitioners will need some time to get used to them.  

The structure is:

 
Section 1

general

general introductory provisions, third party rights, details of transfers covered, accession mechanism

Section 2

modular

 

substantive data protection obligations; transfer impact and associated obligations

 

   general with edits redress, liability, indemnification, supervision
 Section 3  general with edits termination, governing law and jurisdiction 

For those who want a deeper analysis of the new Clauses, the table below sets out a full summary and also shows how the modular provisions compare to each other. For brevity, in the table, we have used DS for data subject and SA for supervisory authority.

Section I

Clause 1: purpose and scope purpose to ensure compliance with GDPR; statement that can agree extra provisions so long as these do not contradict the Clauses or prejudice rights of DSs; inclusion of 3rd party beneficiary rights; definitions in GDPR apply; in the event of a conflict between the Clauses and other agreements the Clauses shall prevail; Annex 1B specifies the applicable transfers; optional accession mechanism.

Section II: obligations of the parties

Clause 1: data protection safeguards (data protection principles)

C2C

C2P

P2P

P2C

-

Instructions: importer to process only on documented instructions of exporter. Must immediately advise exporter if cannot follow instructions.

Exporter to inform importer that it acts under instructions of controllers; identity of controllers and details of instructions to be provided.

Importer to process only on documented instructions from controller as supplemented by non-conflicting instructions from exporter. Importer must advise if cannot follow instructions and exporter must notify controller.

Exporter to process data only on instructions from the controller importer.

Exporter to notify importer if it is unable to follow instructions. Importer to refrain from any action that would prevent the data exporter from fulfilling its obligations under GDPR – e.g. as regards co-operation with SAs.

Purpose limitation: importer not to process personal data for any purposes incompatible with those in Annex 1.B, without DS’s prior consent.

 

Importer only to process data for specific purposes of transfer as per Annex 1.B.

N/A

Transparency: data importer must inform DSs, directly or indirectly, if its identity & contact details; any change in purpose; if data disclosed to any 3rd party, the identity of the 3rd party and purpose of disclosure. Exemption where DS already has the information or where notice would be impossible or involve disproportionate effort. In this case, must post a publicly available privacy notice with the information.

Parties to provide clauses to DS on request.

 

Parties to provide copy of clauses to DS on request.

N/A

Ongoing data accuracy commitment on parties; notification of inaccuracy to each other; data minimisation obligation on importer.

 

Parties to notify each other if aware of inaccuracy. Importer to co-operate to rectify. For P2P, must also notify and co-operate with controller.

N/A

Storage limitation obligation on importer.

 

Storage limitation obligation on importer at end of which must return or delete data – notwithstanding any requirements under local law which prohibit this. In that case, must guarantee continued protection and only process as required by such local law.

N/A

Security obligation – on both parties during transmission and on importer once received. Importer to ensure personnel under obligation of confidentiality. Personal data breach reporting obligation on importer if data breach likely to result in significant adverse effects. Notice to data exporter and competent supervisory authority and to data subjects, if necessary in conjunction with data exporter (exemption for disproportionate effort). Importer must document breaches and remediation.

 

Security obligation as per C2C but if pseudonymisation is used, additional information to identify – where possible – to remain under exclusive control of exporter. Importer to implement toms specified in Annex II.

 

Importer only to allow access to personal data to personnel where “strictly necessary” for contract & subject to appropriate confidentiality.

 

Personal data breach obligations in line with GDPR. For P2P, importer to notify controller where appropriate; assistance obligations to enable exporter to meet its obligations to assist the controller under the GDPR.

Parties to ensure security of data during transmission.

Special categories of personal data – importer to apply specific restrictions.

Special categories – importer to apply specific restrictions listed in Annex 1.B

N/A

Onward transfers: permissible if 3rd party is bound by these clauses; or adequate safeguards provided per GDPR arts. 45 – 47; or 3rd party and data exporter enter into new agreement providing same level of protection as the Clauses and importer provides a copy of this to exporter; or explicit consent of DS + notice to data exporter.

Onward transfers only per instructions of the exporter (or for P2P, of the controller). If in a third country only if: per Arts. 45 – 47 GDPR; or if 3rd party agrees to be bound by these Clauses.

N/A

Processing to be under authority of importer.

N/A

N/A

Accountability: parties to be able to demonstrate compliance. Importer to make documentation available to competent supervisory authority on request.

Importer to deal with queries from exporter (or for P2P, exporter or controller).

Parties to be able to demonstrate compliance – in particular, importer to have documentation on processing carried out on behalf of the exporter. Importer to make available information necessary to demonstrate compliance, and to agree to audit or to rely on an independent audit organised by and at the cost of the importer – to include on premise inspection on reasonable notice. Audit results and other information to be available to supervisory authority on request. For P2P accountability etc obligations owed to exporter and controller.

 

Parties to be able to demonstrate compliance.

Clause 2: local laws affecting compliance with the Clauses

Clause 3: obligations of importer in case of government access requests

Warranty from parties – no reason to believe laws in 3rd country (including relating to access by public authorities) would prevent importer from fulfilling its obligations. Carve out for laws in the 3rd country that respect the essence of fundamental rights & freedoms and do not exceed what is necessary & proportionate to safeguard an objective per Art.23(1) GDPR (restrictions (i.e. exemptions)). Parties state that warranty is given taking due account of:

-circumstances of the transfer (i.e. content and duration of contract; scale and regularity of transfers; length of processing chain and transmission channel used; type of recipient; purpose; nature of data; relevant practical experience of public authority requests (or lack thereof) for the type of data transferred;

- laws of 3rd country;

- any safeguards in addition to the Clauses, including t.o.ms applied during transmission and at destination.

Importer to make best efforts to provide relevant information for assessment – and to continue to co-operate in ensuring compliance; also to notify exporter if reason to believe subject to laws not in line with above obligations, including as a result of change in law.

Assessment above to be documented and to be available to SA on request.

Exporter which receives an importer’s conflict of laws alert, or which otherwise concludes importer can no longer comply, must promptly identify appropriate t.o.ms to address the situation. If exporter is a processor this must be in consultation with the controller. If exporter concludes that it can implement appropriate safeguarding measures and will continue transfer on this basis, it must notify SA, along with applicable documentation. If exporter concludes it cannot provide additional safeguards, must cease transfer. If importer is sub-processor, must suspend transfer if controller instructs it to do so.

 

N/A if processor merely processes data received from controller. If processor combines this with this personal data collected by processor in the EU then provisions do apply.

Importer to notify exporter and DS (where possible and if necessary with help of exporter), if it receives a legally binding request for disclosure of personal data by a public authority in the 3rd country, or if it becomes aware of direct access by public authorities in the 3rd country to personal data transferred pursuant to the Clauses. Processor exporter must forward the notification to the controller.

If local law prohibits notification to exporter/ DS, importer agrees to use best efforts to obtain a waiver of the prohibition and to communicate as much as possible. Importer to document its best efforts so it can demonstrate them on request of exporter.

Importer to provide exporter, at regular intervals, with the greatest possible amount of relevant information on requests received – e.g. number of requests, type of data requested and requesting authority, if challenged and outcome. All to be as permissible under law of 3rd country. Exporter processor to forward above to the controller.

Importer to preserve records of the above and to make available to competent supervisory authority on request.

Importer must comply with these provisions irrespective of any notice to exporter advising it that it cannot comply (yes, really).

Importer to assess requests for data to confirm legality under law of 3rd country; if there are grounds to challenge under 3rd country law, importer to exhaust all such available remedies. Importer to seek interim measures to suspend effects of the request until court has decided on the merits. Importer not to disclose personal data until required to do so under applicable procedural rules. Importer to provide minimum amount of information permissible in response to a request. Importer to document legal assessment and challenge and – to extent permissible under 3rd country law – to make available to exporter and to competent supervisory authority on request. (There seems to be a drafting error here – a note requiring a processor exporter to forward above to the controller is needed).

 

Clause 4: use of sub-processors

N/A

Restrictions on sub-contracting without authority of exporter. Options included for specific prior authorisation or general written authorisation, on the basis of notice given in sufficient time to allow the exporter a right of objection, and based on attached list of sub-processors (in Annex III).

Importer to provide copy of sub-processor agreement on request. Importer to be responsible for acts of sub-processor. Sub-processing clause to have 3rd party beneficiary clause whereby exporter is third party beneficiary to contract in event of bankruptcy of importer – including a right to require deletion or return of data.

In P2P clauses, authorisation has to be given by the controller. Third party rights in the event of bankruptcy of importer are to be exercisable by the data exporter.

N/A

Clause 5: data subject rights

Importer to deal with and to facilitate exercise of DS rights. Obligation to provide information in intelligible and easily accessible form, using clear & plain language. DS rights correspond to rights of transparency and access (including to information in Annex I), rectification, and erasure under GDPR and rights to object to processing for direct marketing purposes. There is no obligation to support portability or restriction or to allow a general right to object to processing based on legitimate interest or performance of a task in the public interest. There ae restrictions on use of automated individual decision making, which are not as extensive as those under GDPR and are akin to those under Directive 95/46.

There are derogations for requests which are excessive or where refusal is allowed under the laws of the 3rd country & in line with Art.23 GDPR restrictions (i.e. derogations). Data exporter must inform DS if it refuses a request.

Obligation for importer to notify exporter of request it receives directly from DS.

Obligation for importer to assist exporter, in line with Art.28 GDPR.

For P2P, importer must notify controller where appropriate and must assist controller.

Further assurance provision.

Clause 6: redress

Importer to provide contact point for complaints (either by direct notice or website). Complaints to be handled promptly. Optional provision for importer to agree that complaints can be lodged with independent dispute resolution body.

Obligation to keep parties informed and to co-operate in resolution.

If dispute not resolved and DS invokes 3rd party beneficiary rights, data importer accepts decision of DS either to complain to a SA; or to refer the dispute to the competent courts. Parties agree that DS can be represented via representative actions under art.80 GDPR (e.g. actions by NOYB etc). Importer agrees to abide by decision binding under EU/MS law.

N/A

Clause 7: liability

Clause 8: indemnification

Each party liable for damage caused. Liability limited to actual damage and punitive damages excluded.

Each party liable to DS for damage it causes. For C2P and P2P transfers, data exporter also liable to DS for damage caused by data exporter or data importer. If more than one party is responsible for damage, then parties are jointly & severally liable to DS.

Importer cannot avoid liability by blaming actions of a sub-processor.

Exporter’s liability under GDPR not affected by above provisions. Where transfer is P2P, controller’s ultimate liability to DS also not affected by this.

 

If one party is held liable for a breach caused by another, it can claim back liability corresponding to the party’s part of responsibility. Indemnification is contingent on prompt notification and co-operation and assistance.

Clause 9: supervision

Data importer to agree to submit to jurisdiction of competent SA and to respond to inquiries, submit to audits by and comply with measures adopted by the SA, including remedial and compensatory measures.

The competent SA will be the SA which is competent in relation to the data exporter. If the data exporter is not established in a Member State, but GDPR is applicable on an extra-territorial basis by virtue of Art.3(2), then the supervisory authority of the Member State where DSs are, whose data is transferred shall be competent.

This section may benefit from some drafting edits to make clear that there could be multiple supervisory authorities.

Section III final provisions

Clause 1 (non-compliance and termination): importer to inform exporter if unable to comply with the Clauses. If importer is in breach or unable to comply, exporter shall suspend transfer or terminate contract. Exporter entitled to terminate if suspension continues for more than one month, for substantial or persistent breach by importer, or failure by importer to comply with binding decision of court or competent SA. Exporter must inform competent SA of anu such non-compliance.

In event of termination, data to be deleted or returned. (For P2C – deleted not returned). If importer has to keep data to meet 3rd country law, it will continue to ensure protection for personal data and only process for so long as required under local law. Party(ies) can revoke agreement to be bound by clauses if an adequacy decision is adopted or if GDOR becomes part of the legal framework of the 3rd country.

Clause 2 (governing law): Clauses to be governed by law of one of the member states, provided that law allows for 3rd party beneficiary rights. Parties to specify the Member State. For C2P or P2P only, parties may select for Clauses to be governed by law of the Member State where the data exporter is established, provided this allows for 3rd party beneficiary rights. (Note that the requirement that the Member State law must allow for 3rd party beneficiary rights may mean that Irish law cannot be selected, where there is uncertainty over third party rights).

Clause 3 (forum and jurisdiction): Disputes to be resolved by courts of an EU Member State. Parties to specify which Member State this is. DS may also bring proceedings in courts of Member State where the DS has his/ her habitual residence. Parties agree to submit themselves to jurisdiction of courts of EU Member States.

 

Annex 1

A: list of parties

Name, address, contact details, signature

Description of activity relevant to the transfer

For exporter to include details of DPO and/ or EU representative

For P2P transfers, to include identity and contact details of controller

B: Description of transfer

Categories of data subjects and personal data

Details of any special category data

Purposes of transfer and further processing

Maximum retention periods (if any)

For transfers to (sub) processors, annex to reflect instructions from the controller and the subject matter, nature and duration of processing

Annex II technical and organisational measures (including to ensure security)

For transfers to (sub)processors, this annex sets out the instructions from the controller(s) and the measures to provide assistance to the controller

Annex III list of sub-processors

This article has been previously published on the IAPP website and shared with its members.

 
Subscribe to our newsletters Subscribe to our newsletters