September 29, 2022

Volume XII, Number 272


September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

September 26, 2022

Subscribe to Latest Legal News and Analysis

Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?

Following on from this week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer (EU-based processor to ex-EU processor, and EU-based processor to ex-EU-controller) and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation (GDPR). The draft clauses will be subject to consultation with the EDPB, and there are a few points of potential disagreement between the Commission’s draft and the EDPB’s guidance.

New Transfer Scenarios

The Standard Contractual Clauses approved by the Commission in 2001 and 2010 only addressed two data flow scenarios: an EU-based controller exporting data outside of the EU to other controllers, or to processors. In this new draft, the Commission departs from that approach and addresses a gap which frequently occurred in practice: allowing for EU processors to serve as data exporters to controllers and processors outside of the EU. All of the scenarios permitted by the new contract form are laid out in a series of “modules,” with generally applicable clauses included before and after the more specific sections.

This brings welcomed flexibility, and recognizes the reality that EU-based processors frequently export personal data to non-EU sub-processors (who do not currently have a satisfactory legal mechanism to cover those transfers) and reflects the expanded territorial scope of the GDPR. It creates a pathway for controllers outside of the EU to work with processors located in the EU on projects involving EU data. For example, a U.S. company could retain the services of an EU-based call center to respond to customer queries arising from sales made in the EU. The new SCCs forms for a processor-controller transfer would allow that call center to share customer records with its U.S.-based client. That call center could now also sub-contract its work to an overflow call center outside the EU, using the processor-processor form.

From a structural point of view, the new SCCs also provide a mechanism for additional parties to accede to the clauses as data exporter or data importer – something which is often implemented under the current SCCs by using a wraparound framework data transfer agreement which incorporates the SCCs.

Tension with the EDPB?

Given the timing of the two announcements, it’s impossible to read the Commission’s draft without thinking of the EDPB’s six-step process for evaluating data transfers. There does appear to be some potential disagreement about the approach controllers are expected to take. Both the Commission and the EDPB include a list of factors data importers must consider when determining whether local law allows them to comply with their obligations under the SCCs, but the lists are not the same. The Commission appears to permit data importers to consider the practical likelihood of government access by allowing evaluation of “relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.” The EDPB, on the other hand, warned data importers away from “subjective” considerations, including “the likelihood of public authorities’ access to your data in a manner not in line with EU standards.” However, both documents note that the evaluation must include all laws “applicable” to the data importer.

One-Stop (Contract) Shop

The Commission noted that it believes its proposed clauses not only satisfy the requirements of Article 46 (standard contractual clauses for international transfers), but — when used by an EU controller with a processor — also satisfy Article 28. Article 28 details the requirements for controller-processor contracts generally (regardless of whether personal data is exported outside the EEA), and these obligations are often the subject of negotiation between business entities. The Article 28 aspects of the draft SCCs are relatively “bare bones” and may be favored by processors who do not wish to agree to bespoke obligations for each controller they work with. The relatively minimalist approach is somewhat at odds with the approach taken by the EDPB in its recent guidance on controllers and processors (see “New Guidelines on Data Controllers and Processors: Time to Review Data-Processing Agreements”), which stated that while the Article 28 obligations constitute the core content of a data processing agreement, they are not sufficient in themselves and should be supplemented by detailed provisions which set out the respective obligations of controllers and processors. In at least one instance, the draft terms reach “business” issues not usually addressed by regulators, and apportion the cost for data protection audits between the parties. The Commission’s note does indicate that use of the SCCs for Article 28 purposes is not required and the parties can supplement these provisions with additional terms.

Where Do We Go From Here?

The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. The feedback received during this process could lead to further changes to the structure and content of the documents. Once in final form, the decision and clauses will need to be formally adopted by the Commission to be effective and available to companies for use. Fortunately, the draft Commission decision provides a one year transitional period. Existing contracts using the old SCC forms will remain effective during this period, provided the contract is otherwise unchanged. Once contracts are revised or updated, however, the new clauses should be implemented. While this is helpful breathing space, this week’s combined developments mean that international data transfers will be high on the compliance agenda for the remainder of 2020 and a key priority for 2021.

Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.

View the draft Standard Contractual Clauses.

© 2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 319

About this Author

Reed Abrahamson Faegre Drinker Biddle

As a member of the firm’s Privacy and Cybersecurity Team, Reed Abrahamson assists clients with identifying and addressing data privacy and security risks in business operations. A Certified Information Privacy Professional - United States (CIPP-US), he helps companies design and implement privacy and data security policies and programs, and advises clients on compliance issues related to the GDPR, CCPA, HIPAA, CAN-SPAM Act, TCPA, and other privacy laws. Reed also has experience working with companies to respond to data breach incidents.

Reed counsels clients on managing risk through...

Huw Beverley-Smith Transactions Lawyer Faegre Drinker

Huw Beverley-Smith advises customers and suppliers on a wide range of international transactions and regulatory issues, including technology, telecommunications and business process outsourcing, complex services agreements, intellectual property ownership and licensing. He counsels clients on privacy and cybersecurity issues and helps navigate regulatory hurdles and operational and commercial risks. Huw is the author of several books and articles on intellectual property and privacy, including "Rights in Data and Information" in the Oxford Handbook of Intellectual...

+44 (0) 20 7450 4551
Peter A. Blenkinsop, Drinker Biddle Law Firm, Healthcare and Data Privacy Attorney, Washington DC

Peter A. Blenkinsop advises clients on data privacy, research compliance, and e-health. He co-chairs the firm’s Information Privacy, Security & Governance practice. Peter represents clients in the life sciences, health, nutrition, and technology sectors, among others.

Peter’s focus on data privacy and security law began well over a decade ago in the run up to implementation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Since then, his practice has expanded well beyond health information privacy to data privacy...