Article 46 of the General Data Protection Regulation (GDPR) lays out the alternative grounds that would allow a controller or processor to transfer personal data (PD) to a foreign jurisdiction which is not recognised as adequate. One of them is standard data protection clauses adopted by the European Commission. On June 4, 2021, the Commission adopted a set of New Standard Contractual Clauses (New SCCs) replacing the earlier ones that were framed under the 1995 Data Protection Directive (Old SCCs). New SCCs come up with a “modular” structure, addressing certain practical issues encountered in international data transfers with the objective of catering to digital economy developments, new and more complex processing operations involving multiple levels, prolonged processing cycles, and evolving business relationships. New SCCs were implemented with effect from June 27, 2021 and provide different timelines for existing and new transfer arrangements. For the existing ones entered before June 27, 2021 that incorporate Old SCCs, parties can continue to rely on them and transfer PD till December 27, 2022. Any new arrangement after September 27, 2021 must be using New SCCs. Those which are entered into between June 27 and September 27, 2021, can still follow Old SCCs, and will be valid till December 27, 2022. With these bifurcated timelines, organisations have been provided with transition period to ensure that their transfer processes and mechanisms are upgraded to New SCCs.
As the 3 months’ window till September 27, 2021 lapses, this post provides a quick recap and overview of the New SCCs.
1. Validity of SCCs: The validity of using Old SCCs for cross-border data flow was challenged in Schrems II case (Data Protection Commissioner vs. Facebook Ireland Limited, Maximillian Schrems (C-311/18)). Brief background and timeline leading up to Schrems II:
2000: European Commission adopts decision recognizing EU-USA safe harbour arrangement as adequate for data transfers from EU to USA; safe harbour essentially was a self-assessment and certification mechanism.
2013: In light of Snowden revelations on USA surveillance practices, Maximillian Schrems lodges a complaint with the Irish data protection authority, requesting investigation into Facebook Ireland’s practice of transferring user data to Facebook Inc. servers in USA and the level of protection provided under safe harbour.
2015: Court of Justice of the European Union (CJEU) invalidated safe harbour arrangement due to lack of adequacy in Schrems I (Maximillian Schrems v. Data Protection Commissioner (C-362/14)) ruling. Facebook Ireland explained that much of its data transfer was pursuant to SCCs. In December 1, 2015, Max Schrems reformulated his complaint to question sufficiency of SCCs in light of invasive USA surveillance programmes that breached fundamental rights of privacy and recourse to effective legal remedies.
2016: Meanwhile, European Commission and US Department of Commerce began designing a data transfer mechanism EU-US Privacy Shield Framework which was deemed adequate and in line with EU data protection principles.
2018: On reformulated complaints from Max Schrems, Irish high court referred the question to CJEU.
2020: CJEU invalidated the EU-US Privacy Shield BUT upheld validity of SCC based transfers with a word of caution – assess the level of protection afforded in the importer jurisdiction and provide additional safeguards. The ruling solidifies the need for transfer impact assessment (TIA). Simply put, TIA requires the exporter to evaluate the state of law in the importer jurisdiction, and if it does not provide a comparable degree of protection as is provided under GDPR, SCCs must be supplemented with other measures for valid data transfer.
Thus, a series of events leading up to Schrems II ruling establishes the validity of SCC based transfers, although TIA on case-to-case basis is critical. Consequently, now, exporter organisations have evolved TIA processes (often initiated as checklists) to require information and verify actual measures implemented by importers. They evaluate the impact over a span of 3 to 7 years depending on the sensitivity of transferred PD, jurisdiction, state of data protection laws, technical measures implemented and purpose of the transfer, and other relevant factors. Nonetheless, a uniform theme for TIA is to evaluate the state of surveillance and intelligence exercise by government and whether there are sufficient checks and balances on unlawful access to PD, and to this effect, New SCCs formalise some of the key aspects, as discussed later.
2. New SCCs structure: New SCCs are poised to provide contractual safeguards on first-hand and onward data transfer scenarios. The clauses cannot be modified, but can be made part of a wider contract or augmented with stricter standards. Clauses which are contrary to New SCCs shall be superseded, and interpreted in line with GDPR. It defines “data exporter” as a legal or natural person and any other public authority/agency/body that is in EU or is governed by GDPR due to its long-arm jurisdiction and transfers PD to an inadequate jurisdiction. The recipient is a data importer. With a “modular” approach, New SCCs contemplate 4 categories of cross-border data transfer: (i) controller to controller (C-C), (ii) controller to processor (C-P), (iii) processor to processor (P-P), and (iv) processor to controller (P-C). Parties have to identify the appropriate module, include relevant clauses, and this will set the house in order as Old SCCs only catered to C-C and C-P scenarios. Along with these modules, New SCCs provide 3 annexures that must be used to substantiate details of the data transfer, technical and organisational measures for security of data, and list of sub-processors (where applicable).
New SCCs also introduce an optional docking clause. This clause will allow third-parties who become associated with the transfer and processing cycle at a later stage, accede to the already executed contract. Multiparty contracts for cross-border transfer were used in practice under Old SCCs, and this practice has been formalised, thereby making overall contracting matrix simpler. This does not mean that organisations can no longer execute new contracts to induct a new party should they decide to follow that route.
3. TIA and related matters: Clauses 14 and 15 of New SCCs rely on impact assessment, warranty, pro-active notification and implementation of additional safety measures as key pillars of a rigorous TIA. Exporter and importer must warrant that there is no reason to believe that destination jurisdiction laws and practices, including the legal need to disclose PD to authorities will prevent the importer form complying with New SCCs. The underlying understanding for this warranty is that local laws have only proportionate digressions and respect fundamental rights and freedoms. In order to provide this warranty, parties must conduct TIA that takes into account the specific circumstances of transfer (like processing purpose, duration, chain, transmission medium, onward transfers, etc.), local laws and practices, and relevant data protection measures. This is a continuous exercise, which is where identifying certain time duration as discussed earlier becomes relevant. Accordingly, importer must provide all relevant information to and cooperate for continued compliance with the exporter. The findings must be documented and made available to competent supervisory authority when required.
Going ahead, if importer believes that local laws and practices (such as change of law, or a disclosure request ) are no longer aligned with the original warranty, they must notify the exporter promptly. Pursuant to such notification or if exporter has other reasons to believe that importer can no longer comply with New SCCs, then, it must promptly identify appropriate measures to ensure security and confidentiality. Should such measures not be possible, exporter must suspend PD transfer and may terminate the contract as well.
As a necessary corollary, New SCCs also impose pro-active notification obligation on importer where it receives a legally binding instruction to disclose PD from any public or judicial authority under the local laws, or where such authority has gained access to PD. If local laws prohibit such notification, importer must on a best-efforts basis obtain waiver, so as to be able to communicate such information to exporter. Additionally, it is obligated to review the legality of the request for disclosure and to challenge and seek interim relief if it concludes that there are reasonable grounds to consider such access request unlawful. This legal assessment must be documented and made available to the exporter and to competent supervisory authority on request.
4. Data protection safeguards: Under each of the modules, New SCCs provide for specific clauses catering to purpose limitation, transparency, accuracy, data minimisation, storage limitation and other related processing aspects. These are aligned with the core data processing principles and take into account the fundamental rule that processing should be at behest of controller’s directions. Below table provides an overview of these contractual requirements per module:
|A.||Purpose limitation on importer’s processing scope||
||Only and strictly as mentioned in New SCC annexure and in compliance with directions from controller||Same as C-P||N/A|
||Same as C-P||N/A|
|C.||Data accuracy and minimisation||
||Same as C-P||N/A|
|D.||Data retention and allied matters for importer||
||Same as C-P||N/A|
|E.||Ensuring security of PD by importer||
||Same as C-P||
|F.||Onward transfers by importer||Cannot transfer PD to any country outside EU (including importer’s own jurisdiction, unless third party:
||Cannot transfer PD to a third party (not even in EU) unless there are documented instructions from exporter; and additionally, if third-party is outside EU, cannot be disclosed unless,
||Same as C-P||N/A|
|G.||Documentation & compliance||
||Same as C-P||Each Party should be able to demonstrate compliance with New SCCs, and exporter to provide necessary information to importer for demonstrating compliance|
|H.||Sub-processors||N/A as transfer is between controllers||
||Same as C-P||N/A|
|I.||Subject rights||Direct obligation on importer to comply with subject’s right requests for access, correction, erasure, withdrawal of consent for direct marketing purposes, prohibition of automated decision-making||Notify exporter on receipt of a subject request and not respond unless authorised by the exporter, assist exporter to respond||Same as C-P||Parties shall assist each other to respond to subject’s requests|
5. Third-party beneficiary rights: A cardinal principle underlying GDPR compliant cross-border transfer is enforceability of data subject rights and their access to legal remedies in the foreign jurisdiction. This is enabled through third-party beneficiary right mechanism, which simply means benefit to enforcement and compensation by a person who is not directly privy to the contract but is the ultimate beneficiary. Clause 3 of New SCC states that data subjects can directly enforce New SCCs, and lists those which cannot be enforced. These carved out clauses mostly pertain to inter se relationship between exporter and importer, or concerning interaction with data protection authorities. Under Old SCCs, data subject had to in first instance, initiate their claim against the exporter, and if that was not possible, then, the importer, followed by the sub-processor. Thus, the approach was staggered. Now, they can directly enforce against exporter, importer, or sub-processor. Specific to C-P and P-P scenarios, New SCCs state that if the data subject in exercise of their third-party beneficiary rights decides to lodge complaint with competent supervisory authority or refer the dispute to competent courts, importer has to accept such choice, without prejudice to their substantive and procedural rights to seek remedies in accordance with applicable laws. In order to determine the extent of liability for exporter and importer, New SCCs provide that each party is liable to the data subject for compensation for any kind of breach of New SCCs, and where more than one party is responsible, all are jointly and severally liable. In such situation, data subject can bring in claim against any of these parties. Upon adjudication, if a party is held liable and has to compensate, such party shall have a right to claim back from the others i.e., other contribute to the compensation.
6. Supervisory authority, governing law and disputes: Importer must submit to the jurisdiction of competent supervisory authority. This will be (i) where exporter is in EU, the responsible supervisory authority that has jurisdiction over exporter, (ii) if exporter is not in EU but must comply with GDPR due to long-arm provisions, and exporter has appointed a EU representative, supervisory authority of the member state where the representative is established, and (iii) if exporter is not in EU but must comply with GDPR and does not have a EU representative, then supervisory authority of one of the member states where subject is located. In terms of governing law, New SCCs provide that it must be one of the EU member state law which allows for third-party beneficiary rights. For disputes, adjudication shall be by courts of an EU member state, except where it is P-C, where parties can identify the competent courts located in any other jurisdiction as well.
New SCCs tighten up loose-ends and also formalise some existing practices. Trust But Verify is the new norm for SCC based transfers. Many have observed New SCCs to bring in onerous and expensive requirements, and this demands parties to thoroughly strategize cross-border data flow, prepare for associated costs, and negotiate bearing in mind the core data processing principles under GDPR as well as existing & future state of applicable local laws. More often than not, data transfers enable infrastructure sharing and cost reduction, but the increased significance of having laws and legal redressal system that aligns with EU democratic principles has required revisiting of the cost-benefits analysis. Many attractive processing destinations may or may not have robust data protection laws or could have governments with unfettered powers to surveil and access PD for law enforcement, state security and national interest purposes. These are difficult situations to overcome for an importer, and to certain extent, beyond their reasonable control. For these jurisdictions, governments and regulators share an equal burden to revisit the existing laws, so as to create a conducive ecosystem for data flows from EU. It also increasingly indicates the need for independent national data protection authorities, developing adequate checks and balances in surveillance laws, and participating in talks for an international data transfer framework. Additionally, parties will need to carry out detailed inventory of existing data transfers, assess the need to change, evaluate the reasons for transfer, conduct TIAs, understand existing legal processes for discovery and surveillance, and implement appropriate technical measures for integrity of PD during transmission and at rest. All of these will take months, and it will be worthwhile to revisit how organisations and countries have fared at the end of December 2022. Nonetheless, transparency, constant flow of information inter se parties, repeated resilience checks and ongoing review for identifying the need to supplement existing technical and organisational measures are the way forward, which are likely to minimise liability, mitigate breach risks, and bring in more accountability.
Author acknowledge the initial research work done by Rishi Sehgal