Keypoint: Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.
As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.
As explained in the implementing decision, the SCCs “needed to be updated in light of new requirements in” GDPR. The SCCs also needed to be updated to consider “important developments . . . in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” The draft SCCs are also heavily influenced by the CJEU’s Schrems II decision.
The implementing decision and draft SCCs are open for public feedback until December 10, 2020. The European Commission presented the draft SCCs to the European Data Protection Board (EDPB) at the EDPB’s 42nd plenary session and requested a joint opinion from the EDPB and the European Data Protection Supervisor. For reference, the EDPB’s recommendations on draft supplementary measures was discussed in this blog post.
Once finalized, there will be a one-year implementation period in which entities can continue to rely on the existing SCCs for contracts entered into prior to the new SCCs going in effect, provided that the contract remains unchanged. However, the parties to the contract still must institute supplementary measures to allow for appropriate safeguards in light of the Schrems II judgment.
A discussion of some of the relevant takeaways from the draft SCCs follows:
The draft SCCs follow a four-module format: (1) controller to controller transfer; (2) controller to processor transfer; (3) processor to processor transfer; and (4) processor to controller transfer. The parties to the contract will need to modify the SCCs to reflect their relationship. For example, there are four different options for Section II, Clause 1 (Data Protection Safeguards) based on which of the four modules applies.
Relationship with Article 28
Paragraph 9 of the implementing decision explains that the draft SCCs “should also allow [the parties] to fulfil the requirements of Article 28(3) and (4) of” GDPR. Because the existing SCCs were issued prior to GDPR, it is customary for parties to enter into a separate data processing agreement (DPA) to address the Article 28 requirements. By integrating the Article 28 requirements into the draft SCCs, the European Commission has obviated the need to separately address them in a DPA. (The European Commission also issued a draft implementing decision and standard contractual clauses for processors and controllers in the EEA that complies with Article 28.)
However, this does not mean that the parties will not otherwise want or need to enter into a DPA. For example, to the extent applicable, DPAs will still be needed to address the parties’ obligations for data not subject to GDPR. In the United States, this will include data subject to the California Consumer Privacy Act and, as of January 2023, the California Privacy Rights Act (CPRA). In particular, sections 1798.100(d), 1798.140(j), and 1798.140(ag) of the CPRA will significantly expand the contractual requirements when transferring data to another entity.
Parties also will likely want to augment the draft SCCs’ liability provisions. Section II, Clause 7 (modules two and three) provides that “[e]ach party shall be liable to the other Party/ies for any material or non-material damages it causes the other Party/ies by any breach of these Clauses.” It is foreseeable that entities will want to reach further agreement on items such as the amount of cybersecurity insurance and contractual obligations for processors to defend and indemnify controllers for the costs of providing notice to data subjects and for defending and indemnifying controllers for losses and fines caused by a processor’s data breach.
Additionally, although the draft SCCs address a number of topics dealing with Schrems II (see below discussion), the EDPB’s recommendations suggest the use of additional contractual measures. (See our prior blog post for a discussion of those contractual measures.)
The European Commission certainly anticipates parties supplementing the SCCs with other agreements. Section I, Clause 1 provides that the SCCs do “not prevent the Parties from including the standard contractual clauses laid down in this [sic] Clauses in a wider contract, and to add other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.” Further, Clause 4 (Hierarchy) provides that the SCCs will prevail over any other agreement with a conflicting provision.
Schrems II Provisions
Unsurprisingly, the drafts SCCs contain a number of provisions directed at addressing the issues identified in Schrems II.
Transfer Impact Assessments
The SCCs reinforce the Schrems II court’s requirement and subsequent EDPB guidance that parties need to engage in transfer impact assessments. Section II, Clause 2 requires the parties to warrant that they have “no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.”
Further, the parties are required to document and make available to the competent supervisory authority an assessment addressing:
(i) the specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers; the length of the processing chain, the number of actors involved and the transmission channels used; the type of recipient; the purpose of processing; the nature of the personal data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred;
(ii) the laws of the third country of destination relevant in light of the circumstances of the transfer, including those requiring to disclose data to public authorities or authorising access by such authorities, as well as the applicable limitations and safeguards;
(iii) any safeguards in addition to those under these Clauses, including the technical and organisational measures applied during transmission and to the processing of the personal data in the country of destination.
The draft SCCs reinforce that the data importer has a significant role in this process and must warrant that “it has made best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.”
This requirement echoes steps 3 and 4 of the EDPB’s supplementary measures recommendations. However, as IAPP Chief Knowledge Officer Omer Tene recently pointed out, the European Commission and EDPB’s approaches may differ in important respects.
For US entities, a primary focus of the transfer impact assessment will be the applicability of FISA 702 – a central focus of the Schrems II decision.
Government Access Requests
Section II, Clause 3 identifies the obligations of the data importer if it receives a government access request. Those obligations include notifying the data importer, if legally possible, and providing relevant information regarding the request; reviewing the legality of the request and objecting to it if there are lawful grounds to do so; and providing the minimum amount of information permissible when responding to a request.
Section I, Clause 2 provides data subjects with third party beneficiary rights to enforce those requirements. Further, Section II, Clause 7 provides that (depending on the specific module) one or both of the parties “shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer causes the data subject for any breach of the third party beneficiary rights under these Clauses.”
In a November 19, 2020 blog post, Microsoft announced that it would immediately implement comparable assurances.
Notwithstanding the above, the draft SCCs do not identify specific supplementary measures that entities should implement. The EDPB’s recommendations will need to be consulted for such guidance. However, the draft SCCs provide a logical place for documenting the technical supplementary measures in Annex II.
Finally, the draft SCCs contain provisions on the use of sub-processors for the controller to processor or processor to processor modules; data subject rights; redress; indemnification; supervision; non-compliance with the clauses and termination; governing law; and choice of forum.