As is known, on 12 November 2020 the European Commission published the draft new standard contractual clauses (hereinafter, the "SCCs"), which according to Article 46.2 of the GDPR can constitute appropriate safeguards for transfers of personal data to non-EU countries [1]. The draft SCCs are, in accordance with the usual procedure, subject to public consultation until 10 December 2020, which is why the European Commission will hopefully adopt the final version in the next few months [2].
The new SCCs are intended to replace the clauses adopted by the Commission in implementation of Directive 95/46/EC and, therefore, to update the existing versions to bring them in line with the principles and requirements under Regulation (EU) 2016/679 (hereinafter, the "GDPR"), in order to adapt them also to new technological developments.
At the same time, the new SCCs arise from the need to more appropriately reflect the use of new and more complex processing operations often involving multiple data importers and exporters, as well as to regulate cases where the laws of the country of destination impact compliance with the clauses, particularly in case of binding requests from public authorities for disclosure of personal data.
It is not by chance, however, that the European Commission started the work for the adoption of the new SCCs only a few months after the well-known "Schrems II" judgment, whereby the Court of Justice of the European Union invalidated the decision relating to the Privacy Shield[3][4], emphasising, in particular, the need to undertake an assessment of the conformity of the legislation of the third country to which data is transferred to the rules and principles imposed by the GDPR.
Well, the new draft SCCs are marked by a greater number of regulatory elements compared to the former SCCs and include a set of general clauses, to be supplemented with one of the four modules attached thereto, in order to allow, from time to time, the data importer and the data exporter to adapt the SCCs to each specific transfer of personal data.
More specifically, the modules concern:
(i) controller to controller transfer of personal data;
(ii) controller to processor transfer of personal data;
(iii) processor to processor transfer of personal data;
(iv) processor to controller transfer of personal data.
The draft SCCs were the subject of a joint opinion from the European Data Protection Board (hereinafter, the “EDPB”) and the European Data Protection Supervisor (hereinafter, the “EDPS”)[5].
In Joint Opinion 2/2021 (hereinafter, the “Joint Opinion”)[6], the two European bodies have highlighted how the standard contractual clauses proposed by the Commission are, in some respects, still unclear, thus inviting the European Commission to further amend them in order to ensure their practical usefulness for market players in their day-to-day operations.
The purpose of this document is therefore to illustrate the main innovations introduced by the European Commission with the publication of the draft SCCs, in the light of the observations shared by the EDPB and the EDPS in their Joint Opinion.
2.1 The different SCC modules
As mentioned, the new SCCs consist of a general section, followed by a special section including four different modules, to be adapted to each personal data transfer depending on the subjects involved.
Well, one of the first aspects considered in the Joint Opinion relates to the possibility of combining the different SCC modules to address specific cases and market dynamics theoretically requiring it. More specifically, the two bodies highlight how, from the SCC framework it should be made clear that the combination of different modules in a single set of SCCs, where possible, cannot lead to blurring of roles and responsibilities among the parties. In other words, and more broadly, the EDPB's and EDPS's suggestions are primarily aimed at providing greater clarity in the interaction between the four types of SCC sets. This, in the two bodies’ view, would prevent “creating any kind of ambiguity for those market players who will be called upon to apply the regulatory instruments under consideration herein”.
With particular reference to Module One in the draft SCCs (i.e. personal data transfer controller to controller), the EDPB and the EDPS call on the Commission to clarify whether such clauses are applicable also in case of joint controllership, with regard to processing of personal data carried out by joint controllers where one of the joint controllers is established outside of the EU and is not subject to the GDPR, or whether, on the contrary, their scope is limited only to the processing carried out by two separate controllers.
With regard to Module Three in the draft SCCs, namely the one applicable to the transfer of personal data from a processor to another processor (i.e. “sub-processor”), the two bodies are of the opinion that the Commission should clarify whether the controller has to sign such clauses, or whether the processor and sub-processor only need to mention the identity of the controller in the annex. In the first case, however, it should be clarified what effect and what obligations of Module Three apply to the controller.
2.2 The “docking clause”
Among the main changes in the draft new SCCs is clause 6 in the general section thereof, i.e. the so-called “docking clause”[7], which provides that any entity that is not a party to the SCCs may, with the agreement of the parties, accede to the SCCs at any time and therefore become a new party thereto, either as a data subject or as a data processor. In other words, such clause allows a third party to become a new party to a contract already entered into between the parties, without having to enter into further SCCs. It should be noted that the docking clause only operates once that third party entity has completed Annexes I.A, I.B and II to the SCCs, concerning, respectively, the list of the parties signing the SCCs, the description of the personal data transfer and the technical and organisational measures.
In this regard, in the Joint Opinion it is reiterated that the qualification and role of any such new party to the contract should appear clearly in the Annexes, putting the burden on the parties to further detail and delimit the allocation of responsibilities and indicate clearly which processing is carried out by which processor(s), on behalf of which controller(s) and for which purposes.
Furthermore, in order to avoid any difficulties in the practical application of the said clause, in the Joint Opinion, the EDPB and the EDPS call on the European Commission for clarification on the way such agreement could be given by the other parties (e.g. whether it should be provided in writing, the deadline, the information needed before agreeing).
2.3 The assessment of third country laws and the relationship with the EDPB Recommendations 1/2020
With regard to the four modules following the general section, particularly important are clauses 2 and 3, involving the obligation for the data exporter to make an assessment concerning the personal data legislation applicable in the country where data is imported. More specifically, the European Commission mandatorily requires the parties, upon completion of their assessment, to confirm that they have no reason to believe that local third country laws will prevent the data importer from meeting its obligations under the SCCs.
According to the Commission, said assessment must be based on (i) the specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers; the length of the processing chain, the number of actors involved and the transmission channels used; the type of recipient; the purpose of processing; the nature of the personal data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred; (ii) the laws of the third country of destination relevant in light of the circumstances of the transfer, including those requiring to disclose data to public authorities or authorising access by such authorities, as well as the applicable limitations and safeguards; and (iii) any safeguards in addition to those under these Clauses, including the technical and organisational measures applied during transmission and to processing of the personal data in the country of destination.
Notwithstanding the above, Annex II to the SCCs describes the set of technical and organisational measures applicable to the transfer in question, in order to ensure compliance with the security standards required by the European legislation on personal data protection. In this sense, in the opinion of the EDPB and the EDPS, the SCCs do not contain an indication of the most appropriate measures to achieve such purpose.
Well, among the main criticisms made by the EDPB and the EDPS to the new draft SCCs, there is one according to which there may still be situations where, despite the use of the new SCCs, ad hoc supplementary measures will nevertheless remain necessary to be implemented in order to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU.
Therefore, in the opinion of the two bodies, despite the provisions contained in the aforementioned clauses 2 and 3 and the technical and organisational measures set out in Annex II, the new SCCs will have to be used along with the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, published by EDPB on 11 November 2020, following the Schrems II judgment.
Indeed, as you will recall, in our previous article on the subject we highlighted how Recommendations 01/2020 are intended to assist data controllers and data processors who are data exporters in identifying and implementing appropriate supplementary measures, where needed to ensure a level of protection for data transferred to third countries that is substantially equivalent to that provided within the EU[8].
In the light of the above considerations, it would be desirable that the final version of the SCCs, which can reasonably be expected to be published in the next few months by the European Commission, will clarify all the grey areas identified by the EDPB-EDPS Joint Opinion and incorporate, before anything else, the comments and proposals for integration made by the two bodies, so that the new SCCs can actually and practically become an unequivocal guide for economic operators in step with the times and cross-border market dynamics.
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Ilaria Todaro.
[1] SCCs consist of a set of template contract clauses that exporters and importers of personal data execute in order to ensure, through contractual obligations in accordance with the provisions of the GDPR, an adequate level of protection for personal data that leaves the European Economic Area. The European Commission had approved, pursuant to Directive 95/46/EC, up to three sets of standard contractual clauses: two for transfers of data from data controllers established in the EU to data controllers established outside the EU or EEA and one for transfers of data from data controllers established in the EU to data processors established outside the EU or EEA. No SCCs had yet been issued relating to transfers from processors established in the EU to controllers established outside the EU or relating to transfers from processors established in the EU to processors (or sub-processors) established outside the EU.
[2] The draft SCCs subject to public consultation until 10 December 2020 are available at the following link:https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.
[3] Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
[4] The full text of the judgment is available at the following link: http://curia.europa.eu/juris/documents.jsf?num=C-311/18.
[5] It should be noted that the EDPB and the EDPS are independent European bodies whose role is, inter alia, to advise the European Commission on the format and procedures for the exchange of personal data among market players in order to protect the rights of data subjects.
[6] “EDPB - EDPS Joint Opinion 2/2021 on the European Commission’s Implementing Decision on standard contractual clauses for the transfer of personal data to third countries for the matters referred to in Article 46(2)(c) of Regulation (EU) 2016/679”, available at the following link: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_it.
[7] Clause 6 of the general section of the draft of the new SCCs, entitled “Docking Clause”, reads: “(a) An entity that is not a Party to the Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer by completing Annex I.A [List of Parties], Annex I.B [Description of the transfer(s)] and Annex II [Technical and organisational measures]. (b) Once Annex I.A. is completed and signed, the acceding entity shall be treated as a Party to these Clauses and shall have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A. (c) The acceding Party shall have no rights or obligations arising from the period prior to the date of signing Annex I.A.”.
[8] For that purpose, the EDPB Recommendations 01/2020 contain a roadmap of the steps that data exporters must take in order to comply with the accountability principle, namely: (i) mapping all transfers of personal data to third countries; (ii) verifying the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR; (iii) assessing if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools one is relying on; (iv) identifying and adopting supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence; (v) taking any formal procedural steps the adoption of supplementary measures may require; (vi) monitoring at appropriate intervals the level of protection afforded to the data transferred.