Get ready for a wave of contract renegotiations and related compliance activities. The European Commission (“EC”) has published two sets of standard contractual clauses (“SCCs”) to address different aspects of the General Data Protection Regulation (“GDPR”):
- Standard Contractual Clauses for transfers of personal data to outside the European Economic Area (“EEA”) (which we’ll call the “New Cross-Border SCCs”). The New Cross-Border SCCs include separate modules (components) designed to address each of the following such transfers:
- Controller to controller
- Controller to processor
- Processor to processor
- Processor to controller
- Standard Contractual Clauses for use between controllers and processors under GDPR Article 28, irrespective of whether cross-border transfers are involved (which we’ll call the “Template DPA SCCs”).
The official versions are annexed to the Implementing Decision for the New Cross-Border SCCs and the Implementing Decision for the Template DPA SCCs).
Key initial takeaways for the New Cross-Border SCCs
- Conditional grace period and transition timeline. The New Cross-Border SCCs can be used instead of its predecessors starting June 27, 2021. From then through September 26, 2021, you can still use the old SCCs when entering into new contracts, and legacy contracts entered into under the old SCCs by that date do not need to be transitioned to the new SCCs until December 27, 2022, provided that reliance on the old SCCs provides “appropriate safeguards” within the meaning of the GDPR, and provided that the processing operations and subject matter of the legacy contract remain unchanged.
- Not cut-and-paste. Although the body of the New Cross-Border SCCs cannot be modified, it contains areas that must be customized to the particular transaction. These are similar but not identical to those in the legacy SCCs.
- Schrems II is addressed and often solved. The New Cross-Border SCCs contain enhanced provisions to address government access to data held by data importers. Some but not all of these provisions mirror those suggested by the European Data Protection Board (“EDPB”) in reaction to the Schrems II court decision that invalidated Privacy Shield and cast doubt on the old SCCs. For many transfers, compliance with these provisions and the rest of the New Cross-Border SCCs (including agreed security measures) will provide adequate protection for the data and allow its lawful transfer to the U.S. and other jurisdictions outside the EU. But can these SCCs automatically Schrems-proof every data flow? Nope.
- Transfer impact assessments required. Consistent with case law and EDPB guidance, the New Cross-Border SCCs require the exporter and importer to determine that the laws and practices in the importer’s jurisdiction, viewed in light of all factors relevant to the transfer, will not prevent compliance with the SCCs. Not all transfers will permit such a conclusion. This assessment must be documented.
- Risk assessment is permitted. Contrary to prior EDPB guidance, where local laws make the importer eligible to receive problematic governmental demands for access to the data, the New Cross-Border SCCs permit the parties to take into account the likelihood that such laws actually would be enforced against the importer (or other parties involved in the processing, such as a subprocessor) with respect to the exporter’s data. This means, for example, that the importer’s mere eligibility to receive directives for data disclosure under Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA”) is not a showstopper if the parties can demonstrate that the likelihood of such disclosures is sufficiently low.
- Transparency reports required. When conducting that assessment, the parties can and often should take into account the importer’s actual experience with government demands for data. For many B2B providers, this will convert the transparency report (a report containing such statistics) from a publication issued today by only a few companies into a must-have sales tool. And where the importer actually does receive governmental demands for data, the importer must (to the extent legally permitted) report these to the exporter. The SCCs contain specs for these reports, and companies must also consider laws and orders that limit the level of detail that such reports can contain when preparing them.
- Additional safeguards may be needed. Depending on the results of the transfer impact assessment, the parties may need to implement additional technical or contractual safeguards (i.e., beyond those in the New Cross-Border SCCs) to legitimize the transfer.
- No Schrems II grace period. Although there is a grace period for implementing the New Cross-Border SCCs, there is no grace period for ensuring that personal data transferred across borders receives adequate protection. This means that the steps described above should be taken even with respect to transfers that are permitted to flow temporarily under the legacy SCCs.
- Data security safeguards must be specified for most transfers, including controller-to- controller, and they must be detailed. The old controller-to-controller SCCs didn’t require any security details. For all transfers under the New Cross-Border SCCs (except processor-to-controller), the safeguards “must be described in specific (and not generic) terms.”
- Scope. Recital 7 of the Implementing Decision for the New Cross-Border SCCs indicates that the New Cross-Border SCCs cannot be used when the data importer is directly subject to the GDPR with respect to its processing of the transferred data pursuant to GDPR Article 3(2) (such as where the importer’s processing relates to the offering of goods or services to individuals in the EU or the monitoring of their in-EU behavior). See Section 2 (pages 13-21) of the EDPB’s Guidelines 3/2018 on the territorial scope of the GDPR for examples of when entities outside the EU/EEA are and are not subject to the GDPR under Article 3(2). If enforced, this limitation would mean, for example, that the New Cross-Border SCCs cannot be used in many transfers involving EU direct-marketing data. We expect guidance on this point soon. It creates a very significant gap, if read literally: many transfers for commercial and marketing purposes (and many others) will lack a clearly valid transfer mechanism.
- You need a game plan. All affected companies need to take stock of their data flows, prioritize them, assess risks and compliance, and prepare to implement the New Cross-Border SCCs when required. For affected importers in particular, preparation for the onslaught of queries and renegotiation requests will often include (i) creation of a transparency report, (ii) creation of a model transfer impact assessment specific to their offerings, (iii) identification, improvement, or creation of technical safeguards unique to their offering, (iv) updating their template customer DPA to include, complete, and complement the New Cross-Border SCCs, and (v) carrying out the same contracting exercise with their subcontractors and other third parties with whom the importer shares the imported personal data.
- There’s more! This is just a summary of a few of the requirements and impacts of the New Cross-Border SCCs.
Key initial takeaways for the Template DPA SCCs
- First of its kind. These are new and do not replace a prior similar instrument.
- Sufficient but not necessary. The Template DPA SCCs, when completed correctly, satisfy the GDPR Article 28 requirements for the data contract terms between a controller and processor (leaving aside cross-border issues). But use of this specific template is not required.
- Different focus. Use of the Template DPA SCCs does not impact whether the old or New Cross-Border SCCs can or should be used in transactions involving cross-border transfers. Use of one does not require use of the other (and, in fact, the Template DPA SCCs can be used only for certain transactions with processors, while the New Cross-Border SCCs can be used in other situations as well). For eligible transfers to processors, the New Cross-Border SCCs do contain a slightly condensed version of the GDPR Article 28 provisions found in the Template DPA SCCs.
- Upward pressure. The Template DPA SCCs have many provisions that are stricter than what generally results when Article 28 requirements are negotiated by parties with similar leverage. We anticipate controllers to point to these provisions as evidence that they reflect the true controller-friendly meaning of Article 28. Although processors will push back and often win, we expect the publication of the Template DPA SCCs to raise the compliance bar in these negotiations at an aggregate level.
The European Commission’s press release contains links to both sets of SCCs and their Implementing Decisions.