The EU’s new standard contractual clauses – ensuring international data transfers?

Thursday 24 June 2021

Matthias Lachenmann

BHO Legal, Cologne

matthias.lachenmann@bho-legal.com

Ingo Baumann

BHO Legal, Cologne

ingo.baumann@bho-legal.com

Introduction

Transferring personal data from the European Union to third countries is riskier than ever. With its Schrems II decision (16 July 2020 – C-311/18), the Court of Justice of the European Union (CJEU) closed many loopholes and postulated a strict assessment of the laws of the importing country. The European Supervisory Authorities published an even stricter interpretation of the CJEU decision. Due to these events, EU companies and legal advisers are discussing ways for ensuring data transfers in the global economy.

The EU Commission has now published drafts for new standard contractual clauses (‘SCC-new’).1 Even though these SCC-new are a great step forward, several questions remain. We will give a brief follow-up of the CJEU’s decision and present the main contents of the SCC-new drafts.

International transfers and the Schrems II decision

In case of transfers of personal data from an EU country to a country located outside the European Economic Area, the data transfer is subject to obligations based on Article 44 of the General Data Protection Regulation (GDPR). These obligations come in addition to all other GDPR provisions, such as concluding a data processing agreement with a service provider or other suitable contractual agreements covering the data processing.

The European Commission assessed whether certain third countries have an adequate level of protection comparable with the EU. Such decisions are based on Article 45 of the GDPR, which states the minimum requirements to be fulfilled within third countries. A positive adequacy decision allows data to be transferred to these countries without any further permission. However, under the general conditions set out by the GDPR, so far, Japan is the only recognised country. Previous adequacy decisions remain valid, however, at least until the next verification process (Article 46 para 9, GDPR). The European Commission is in ongoing negotiations with other countries. On 30 March 2021, adequacy talks were concluded with South Korea.2

In case no adequacy decision applies, the data importer must provide guarantees as stated in Article 46 of the GDPR. The United States is not considered a country with an adequate level of protection. Therefore, special mechanisms were put in place in mutual agreements between the European Commission and the US: the Safe Harbor Agreement and, after the Schrems I decision (6 October 2015 – C-362/14), the EU-US Privacy Shield. Both agreements were subsequently invalidated by the CJEU.

The latest CJEU decision, Schrems II, leaves SCCs as the primary transfer mechanism to the US or other third countries. Still, all data transfers require further safeguards, including, for example, an analysis of the importing countries’ surveillance laws, granting authorities access rights to processed data. Following Schrems II, the European Data Protection Board published two recommendations setting high standards, which contain general references and use cases. The two documents lay out a seven-step plan on how to assess and document the conditions under which transfers of personal data can be carried out.3 Those high standards might be impossible to reach for some types of data transfers.

The existing standard SCCs – which were drafted and published prior to the GDPR under the European Data Protection Directive (Directive 95/46/EC) – offer only a basic protection with many broad obligations. The EU Commission has published drafts for SCC-new on 12 November 2020,4 which are now in the process of being adopted. The SCC-new fully consider the GDPR obligations and intend to provide a stronger basis for international transfers.

Brief overview of the SCC-new

The SCC-new are more extensive and contain concrete obligations on the processing of personal data. Many detailed obligations that follow from the GDPR are included in the contractual framework. The clauses are meant to assist data exporters and importers in assessing their specific obligations and thus enable them to implement a level of protection comparable to the GDPR.

The SCC-new are divided in three sections.

Section I contains general provisions, in particular outlining that the requirements of the SCC-new have priority over other contractual arrangements and applicable documentation of the data processing operations and the technical and organisational measures (please note: this refers to the processing of personal data only, not the general fulfilment of contractual obligations).

The core of the SCC-new is Section II, which contains a broad range of provisions setting individual obligations for the parties. On the one hand, this will make it easier for importers to understand what is required regarding the processing of personal data; on the other hand, it will now be much more difficult to prove compliance with the SCC-new. Therefore, data importers worldwide should begin as early as possible to understand the applicable GDPR’s provisions and to document how they ensure compliance with their obligations under SCC-new.

Section III includes further general provisions, especially on the termination of the contract. The exporter may terminate the contract if the importer fails to comply with its legal obligations (No 1 (b), (c)), of which the importer must inform (No 1 (a)). Disputes must be settled by courts of EU member states (No 3 (a)).

A closer look at the main obligations of the draft SCC-new

Clause 1 specifies the data protection safeguards (ie, transparency obligations relating to the data subjects – ie, people, whose personal data are processed), documentation of the processing and purpose of the processing.

Clause 2 requires the parties to warrant that they have no reason to believe the laws in the third country do not prevent the data importers from fulfilling the obligations under these clauses. Therefore, the parties must review the specific circumstances of the law in the third countries (in the past referred to as transfer impact assessment but, since Schrems II, as data transfer risk assessment). Data exporters do not need to conduct this entire assessment individually in any case, but at least they should be able to rely on previous assessments conducted for the respective country and data exporter and update such assessments in case of legislative changes. The particularities of each sort of data transfer must be considered in every case. The assessment must be documented and submitted to the competent data protection supervisory authority upon request. Further, the data importer agrees upon accepting the SCC-new to inform the data exporter of any changes (to the law, disclosure requests, etc). If there is no way to ensure appropriate safeguards, the data exporter must suspend the data transfer. Despite all assessments, it remains to be seen whether implementation of the Schrems II decision will lead to sufficient protection measures, since the CJEU mainly based its decision on US surveillance laws.

Clause 3 outlines the process by which importers must respond to requests from public authorities for disclosure of data transferred under the SCC-new. Clause 1 specifies the importer’s obligations, including on transparency to the data subject.

Clause 4 describes the process of engaging sub-processors. The importer must receive a prior or general written authorisation from the data exporter and must ensure that the sub-processor also complies with the SCC-new provisions.

Clause 5 contains the data subject’s rights and the obligations for the data importers to safeguard those rights, especially concerning transparency. The importer also must make sure that the data subject is able to make complaints and has all relevant information in this respect (Clause 6).

Clauses 7 and 8 describe the (broad) liabilities between the parties, including the possibility of penalties.

Clause 9 states, among others, that the importer must submit to the jurisdiction of the data protection supervisory authority responsible for the data exporter.

This brief overview demonstrates the variety of obligations and the complex processes for ensuring compliance with the SCC-new. Exporters and importers of personal data will face new challenges and require additional efforts to cover the new contractual obligations. It remains a particularly  challenging legal task to document compliance with the warranties as per Clause II for data transfers to the US. This is particularly due to the Schrems II decision, which referred to the broad legal possibilities for US administration to access personal data even against the parties’ will and, in many cases, without even providing notice. However, documenting compliance should be possible in many cases.

Conclusion

The draft European Commissions’ SCC-new address many criticisms and weaknesses of the former SCC and will thus lead to vast improvements. The SCC-new contain many provisions implementing the requirements of the GDPR and, in this way, incorporate them on contractual level between the parties. This is welcomed, as the provisions of the former SCC were so abstract that data importers could hardly derive concrete obligations from them. The incorporation of GDPR requirements into concrete obligations has the advantage that importers can identify and implement their obligations more easily.

A negative consequence of the SCC-new will likely be an advantage for large corporations over small- to medium-sized enterprises (SMEs). International corporations have already adapted themselves to the GDPR requirements and implemented the necessary processes (or at least, they claim to have done so). Fewer resources to implement the provisions means SMEs will be confronted with the GDPR requirements in an even more complex manner. Does this really lead to a higher level of data protection or will it leave the international data market to the big players?

It remains to be seen which feedback and suggestions for improvement raised during ongoing consultation process on the draft will be adopted by the European Commission. The final version was supposed to be adopted in March 2021 but, so far, the European Commission has not released the final text and it is not known when the final version will be published.


Notes

[1] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.

[2] https://ec.europa.eu/info/news/joint-press-statement-didier-reynders-commissioner-justice-european-commission-and-yoon-jong-chairperson-personal-information-protection-commission-republic-korea-2021-mar-30_en.

[3] https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en and https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en.

[4] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.