The European Commission released two new sets of standard contractual clauses (SCCs) and an implementing decision on each new set of SCCs on June 4, 2021.  One set of the new SCCs may be used between a controller and processor subject to the GDPR (‘controller-processor SCCs’) while the other set of new SCCs may be used between or among several different combinations of parties in situations where personal data will be transferred from the European Economic Area (EEA) to a location outside the EEA (‘cross-border SCCs’).

The controller-processor SCCs provide a template for controllers and processors subject to the GDPR to use as a data processing agreement (often referred to as a “DPA”), thereby sparing parties the need to develop or negotiate their own DPAs.  Notably, though, the Commission clarified that the controller-processor SCCs are not mandatory and parties may choose to negotiate their own form of DPA if they wish.

In the cross-border SCCs, the Commission provided much needed opportunity and flexibility to organizations looking to use SCCs to accomplish a GDPR-compliant cross-border personal data transfer.  The Commission also included new clauses in the cross-border SCCs aimed at ensuring that personal data is not transferred to countries where local laws or practices may impinge on the protections of personal data provided for under the GDPR.

Below are some key points regarding each set of SCCs:

Cross-Border SCCs

In its implementing decision on the cross-border SCCs, the Commission aptly recognized that since the time of its decision which implemented the “old SCCs” (i.e., the SCCs which only accommodated personal data transfers between an EU-established controller and a controller established outside the EU or between an EU-established controller and a processor established outside the EU), the “digital economy has seen significant developments, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains, and evolving business relationships.”[1]  Thus, the old SCCs were in great need of a modernization.

  • Modules: One of the main features which distinguishes the cross-border SCCs from the old SCCs is that the cross-border SCCs may be used in a wider variety of situations.  The cross-border SCCs provide for different “modules” accommodating personal data transfers (1) from one controller to another controller, (2) from a controller to a processor, (3) from one processor to another processor, and (4) from a processor to a controller.  The Commission noted in its implementing decision that it is up to the parties to the cross-border SCCs to figure out their respective roles and which module fits their situation.[2]
  • Local Laws and Government Authority Requests: Within the cross-border SCCs is a section titled “Local Laws and Obligations in Case of Access by Public Authorities”[3], under which the parties to the SCCs warrant that they have no reason to believe that laws or practices in the country of the data importer (“country of destination”) would prevent the data importer from complying with obligations under the cross-border SCCs, and that they have “taken due account” of such laws and practices.  In other words, it is expected that parties undertake an assessment of the laws and practices in the country of destination and how they may impact the protections provided for in the GDPR.  Furthermore, this assessment must be documented and made available to a supervisory authority upon its request.[4]  The requirement to perform and document this assessment will likely prove burdensome to some organizations and it remains to be seen whether, in practice, it will be feasible for organizations to engage in the in-depth analysis that the Commission envisions.

Also within the cross-border SCCs are clauses requiring a data importer to promptly notify the data exporter in the event the data importer receives a legally binding request from a public authority in the country of destination to disclose personal data.[5]  The data importer is also obligated to review the legality of any public authority request for personal data and challenge and/or appeal such request if there are reasonable grounds to do so.[6]

It is apparent that the Commission’s aim in including the above clauses in the cross-border SCCs was to set up a framework whereby parties would need to assess the level of protection of personal data along the lines of what the Court of Justice deemed necessary in its Schrems II decision, which held that even when using SCCs, organizations should assess on a case-by-case basis if the personal data being transferred to the “country of destination” would be subject to a level of protection equivalent to that which it has under the GDPR, so as not to “undermine the level of protection” offered by the GDPR.[7]  While some organizations have been attempting to undertake such assessments ever since the Schrems II decision was handed down, other organizations that have not done so and wish to use the cross-border SCCs will need to strategize and plan how to conduct an analysis of whether, and to what extent, personal data may be protected in light of local laws and government requests.

  • SCCs and DPA in One: In its implementing decision, the Commission noted that the cross-border SCCs may be used to satisfy the requirement under Articles 28(3) and (4) of the GDPR – namely, that a controller/processor relationship or processor/sub-processor relationship be governed by a “contract or other legal act under Union or Member State law”.[8]  The terms of this “contract”, or DPA, are built into the cross-border SCCs.  Therefore, it is not necessary for organizations that have a controller/processor relationship or processor/sub-processor relationship to enter into two separate agreements to address GDPR-compliant data transfers on the one hand and DPA-required terms on the other hand; rather, all of the necessary terms addressing both of these subject areas are included with the cross-border SCCs.
  • Docking Clause: The cross-border SCCs contain an optional docking clause under which an entity or entities may, with the agreement of the existing parties to the cross-border SCCs, be added as new parties (either as data exporter or data importer) to the cross-border SCCs.[9]  Having the option to add parties to the cross-border SCCs may be especially important in situations where there will be a long chain of personal data transfers, such as when a data importer wishes to further transfer personal data (i.e., make an “onward transfer”) to another party in a different country.
  • When the old SCCs will become invalid: For parties that have been using the old SCCs or will enter into old SCCs up until 3 months and 20 days from June 4, 2021 (i.e., until September 24, 2021), they may continue engaging in cross-border personal data transfers pursuant to those old SCCs for 18 months and 20 days from June 4, 2021 (i.e., until December 24, 2022), provided that their processing operations remain unchanged during that time frame.[10]  After the expiration of the 18 month and 20 day period, the old SCCs cannot be relied upon for cross-border personal data transfers.  Keeping this deadline in mind, parties should be proactive about amending agreements to replace old SCCs with the cross-border SCCs, as needed.

Controller-Processor SCCs

For the past few years, many organizations have invested time and resources to develop their own template DPAs and/or negotiate template DPAs that have been developed by other parties.  With the release of the controller-processor SCCs, controllers and processors subject to the GDPR now have the option of using the controller-processor SCCs as their DPA.

The provisions in the controller-processor SCCs closely align with those provisions which the GDPR (per Article 28(3)) requires to be included in a DPA.  Thus, many may find it preferable to use the controller-processor SCCs instead of a party’s DPA template, which are more likely be one-sided and/or include provisions which not required by the GDPR.  On the other hand, in some instances there may be good reason to use a party’s DPA template over the controller-processor SCCs; for example, where industry-specific rules or practices impact how personal data may be processed, the parties may want to specifically refer to those industry-specific terms in their DPA.

A few important points regarding the controller-processor SCCs:

  • Cross-border data transfers: The controller-processor SCCs cannot be used to provide “appropriate safeguards” (pursuant to Article 46(1) of the GDPR) for cross-border personal data transfers.[11]  If parties will transfer personal data from the EEA to a country outside the EEA which does not have an adequacy decision from the Commission, they will need to ensure the transfer is GDPR-compliant but cannot rely on the controller-processor SCCs as the mechanism for a GDPR-compliant transfer.
  • Docking Clause: As with the cross-border SCCs, the controller-processor SCCs contain an optional docking clause under which a party may, upon the agreement of the existing parties to the controller-processor SCCs, be added as an additional controller or processor to the controller-processor SCCs.[12]
  • Selecting appropriate options and filling in details: The controller-processor SCCs require the parties to do more than simply fill in the signature block; they must select certain options and fill in details about the processing operations that will occur pursuant to the controller-processor SCCs.  For example, the parties must decide whether the controller will provide the processor with general authorization to engage sub-processors or will prohibit the processor from engaging any particular sub-processor without the specific prior authorization of the controller.  Other specific information must also be inserted, such as categories of data subjects whose personal data will be processed, the nature of the processing, duration of the processing and the technical and organizational measures that will be used to ensure the security of personal data.

Moving Forward

When the Commission’s implementing decision and new cross-border SCCs were in draft form, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a joint opinion of nearly 30 pages full of suggestions and recommendations calling on the Commission to clarify certain issues and modify aspects of the SCCs[13].  Many of those suggestions and recommendations were not addressed by the Commission in its final implementing decision and cross-border SCCs which were released on June 4.  The cross-border SCCs and controller-processor SCCs do not provide complete clarification on all of the complex issues surrounding cross-border personal data transfers or the relationship between a controller and processor.  They do, however, provide organizations with options they didn’t previously have to pursue cross-border personal data transfers in compliance with the GDPR and to facilitate entering into DPAs.

As organizations grapple with questions of whether and how to use the Commission’s newly released SCCs in the coming months, they should stay tuned for further opinions and guidance from the EDPB.

 


[1] Recital 6 of Commission Implementing Decision of 4.6.2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

[2] Id., Recital 10

[3] Cross-border SCCs, Section III

[4] Id. at Clause 14(d)

[5] Id. at Clause 15.1(a)

[6] Id. at Clause 15.2

[7] See ¶2 of CJEU ruling in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18

[8] Recital 9 of Commission Implementing Decision of 4.6.2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

[9] Cross-border SCCs, Clause 7

[10] See Article 4 of Commission Implementing Decision

[11] Recital 10 of Commission Implementing Decision of 4.6.2021 on standard contractual clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council

[12] See Clause 5 of controller-processor SCCs

[13] EDPB – EDPS Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries for the matters referred to in Article 46(2)(c) of Regulation (EU) 2016/679