Out-Law Analysis | 01 Dec 2020 | 11:45 am | 5 min. read
The need for businesses to get a firm handle on their cross-border data flows has been reemphasised by the release of proposed new standard contractual clauses (SCCs) for consultation by the European Commission.
SCCs are the most popular legal mechanism relied upon by businesses to comply with EU data protection laws when transferring personal data from a location within the EU to a destination outside of the European Economic Area (EEA).
The current SCCs were endorsed by the European Commission in 2010 and therefore pre-date the introduction of the General Data Protection Regulation (GDPR). The move by the Commission to update the SCCs for the GDPR age comes at a time whenSCCs and other legal tools for enabling personal data transfers have been subjected to close scrutiny by the EU's highest court in the 'Schrems II' case, as to their effectiveness in providing the safeguards mandated by EU law.
Organisations would have a one year grace period during which they could rely on existing SCCs before they are repealed and replaced with the new proposed SCCs
The new modular clauses reflect the commercial realities of cross border flows relevant to global services and the digital economy. They account for data flows between independent data controllers, data processors, processors to sub-processors, and from processors back to controllers too.
Absent any adequacy decision for the UK, UK data controllers using data processors in the EU may want to consider the processor-to-controller clauses in their preparations for Brexit. From 1 January 2020, the UK becomes a 'third county' from a GDPR perspective and so organisations need to consider any transfers back from service providers, as the existing SCCs do not address transfers back. The new processor-to-controller clauses are significantly shorter than the other modular clauses and plug the technical gap which was slowing down negotiations for some EEA-based processors offering services outside of the EEA.
The new optional 'docking clause' is also helpful in enabling, in particular, new sub-processors to sign directly as an additional party to the clauses, which is welcome given the practical realities of modern processing activities.
The new Annex 1B outlines specific security measures to be applied to special category data, which is a welcome insertion to protect the rights of individuals with respect to their most sensitive details. This is likely to be of reassurance to businesses that share staff and customer data with service providers.
Organisations would have a one year grace period during which they could rely on existing SCCs before they are repealed and replaced with the new proposed SCCs.
In some instances, the clauses impose further obligations on processors, sub-processors and controllers, in their respective dealings with each other, than those contained in the GDPR.
For example, in controller-to-controller clauses, the importer must in the majority of cases ensure data subjects have its contact details and the parties must rectify inaccuracies of personal data "without undue delay" of becoming aware of them. There are also specific references to the security obligations in respect of "transmission" of data, even though the GDPR does not impose any mandatory contractual terms in independent controller relationships, in the absence of any third country transfers.
Another provision that goes beyond the black letter law is the need for processors to respond "promptly and properly" to inquiries from the exporter in respect of the processing activities under the clauses. They must also identify all sub-processors in an Annex, to be updated from time to time.
As currently drafted, there would also be a contractual obligation on sub-processors to contact data controllers directly, "where appropriate," with relevant information regarding personal data breaches.
The clauses also increase obligations on data exporters, to supervisory authorities "if appropriate" where a data importer has notified it that it may not be able to comply with the SCCs, including where it has decided to suspend a transfer. After considering and putting in place additional security measures in such circumstances to enable a transfer, if the exporter proceeds to make the transfer it must tell the supervisory authority.
Overall, the increased obligations on each party may result in protracted negotiations between customers and service providers and potentially internally too amongst businesses that are part of the same group of companies as they try to iron out each party’s obligations.
The draft new SCCs require organisations to assess local laws in countries where data is being exported to determine their adequacy in safeguarding personal data and contain a mutual warranty that neither party is aware of any local law which undermines data subject rights. This is specifically included to account for the recent Schrems II ruling, which raised specific concerns regarding US surveillance activity under the Foreign Intelligence Surveillance Act (FISA) and which provided that the same consideration should be universally applied to all countries, absence adequacy decisions, in which the data is to be imported.
Parties must now therefore carry out a transfer risk assessment of local laws and make it available to supervisory authorities on request, taking into account the volumes of data shared, content, duration and exact processing in their assessments.
Data importers must use "best endeavours" to provide sufficient information required for the risk assessment and seek waivers, where possible, from local authorities of any ban on their ability to notify exporters about government requests
Specific provisions govern the level of information the importer must provide to the exporter in the event they are subject to governmental requests to access data, and the procedure for challenging such requests. The ultimate decision on whether to challenge such requests rests with the data importer, and no guidance has been provided on how the importer is to "assess" whether there are compelling grounds for challenging requests for disclosure.
Data importers must use "best endeavours" to provide sufficient information required for the risk assessment and seek waivers, where possible, from local authorities of any ban on their ability to notify exporters about government requests.
In summary, the obligations in respect of handling disclosure requests and local law assessments, as drafted, represent major new burdens for organisations to manage. They will, require importers to complete legal analysis of local laws which may be applicable, and consider whether those laws are in line with GDPR requirements, or any of its restrictions
Alongside the proposed new SCCs for data transfers, the European Commission published draft new SCCs to help controllers engaging processors to do so in line with the requirements of Article 28 of the GDPR.
However, it is unclear how the two sets of SCCs are to work together, and which take precedence.
For example, the draft new 'Article 28' clauses – which are not mandatory to use – state that processors should notify controllers of a data breach within 48 hours, whereas the draft new SCCs for data transfers require the processor report "without undue delay".
In addition, in relation to the provisions in the draft new 'Article 28' clauses concerning international transfers, there is no reference of the parties' respective obligations in regards to carrying out a risk assessment in respect of local laws of the third country. In the absence of such an obligation being imposed upon a processor, there is the potential for gaps to emerge where processors initially sign up to service agreements and no third country transfers occur, but where affiliates or third parties outside of the EEA are to be added to the agreement over time. In the absence of any obligation on the processor to assist with local country assessments, services could be delayed as they try to negotiate signing the SCCs.
The overall theme from the draft new clauses is an increased level of accountability and transparency around data flows, categories of data and processing activities. There are more detailed and granular requirements for businesses to meet, requiring them to have a good understanding of their processing activities and controls in place to mitigate risks.
However, there is a risk of discord between what some of new clauses require businesses to do and what is practical from a commercial perspective. Businesses should therefore take the opportunity to participate in the consultation exercise, which is open to 10 December, to ensure the finalised GDPR-age SCCs have commercial utility in the years to come.
Co-written by Stephanie Lees of Pinsent Masons.