EU's New Cross Border Standard Contractual Clauses Strategies

David A. Zetoony

Email

303.685.7425

Bio and Articles

Andrea Maciejewski

Email

+1 303.572.6500

Bio and Articles

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

by: David A. Zetoony, Andrea Maciejewski of Greenberg Traurig, LLP - Data Privacy Dish

Monday, September 12, 2022

Print Mail Download

i

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual	Description and Implications
Background. Company A retains Company Z in Country Q to process personal data (e.g., collect personal data from data subjects). Company A instructs Company Z to transmit the personal data to Company Y, which is a second processor in Country Q. There are two general strategies for how the transfer could be structured.
Option 1
	Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject “cannot be considered a controller or processor”ⁱ and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.ⁱⁱ As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z. However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA – that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q. Transfer 3: Possible use of SCC Module 3. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers “in the same [non-EEA] country” should also utilize a safeguard mechanism such as the SCCs.ⁱⁱⁱIn this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The former structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company Z, is a sub-processor of Company Z, and/or takes instruction directly from Company Z. Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y. Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.
Option 2
	Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject “cannot be considered a controller or processor”^iv and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.^v As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z. However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA – that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q. Transfer 3 and Transfer 4: Possible use of SCC Module 2. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers “in the same [non-EEA] country” should also utilize a safeguard mechanism such as the SCCs.^vi In this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The latter structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company A, is a direct processor of Company A, and/or takes instruction directly from Company A. Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y. Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.

FOOTNOTES

ⁱEDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

ⁱⁱThe transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.” GDPR, Art. 2(2)(c).

ⁱⁱⁱSee New SCC Module 1 at 8.7. The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . . after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.

^ivEDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

^vThe transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.” GDPR, Art. 2(2)(c).

^vi See New SCC Module 1 at 8.7. The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . . after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.