Data Protection & Standard Contractual Clauses - two different questions and concerns
In this article I would like to raise two different questions/concerns about the Standard Contractual Clauses (SCC’s). One is regarding the need to update them now that the European General Data Protection Regulation (“GDPR”) is in place and the second is about the use of SCC’s by Non-EU Controllers.
STANDARD CONTRACTUAL CLAUSES UNDER THE GDPR
The GDPR, like the EU Data Protection Directive, prohibits the transfer of personal data to third countries outside the European Union, which are not considered to provide an adequate level of protection under applicable national laws. Alternatively, when countries do not provide an adequate level of protection, international transfers of data outside the Community may be performed if the Controller adduces in appropriate safeguards to protect the data abroad, and only as last resource, the GDPR allows for transfers to occur on the basis of a derogation as long as certain conditions and specific requirements are met.
The problem we face now is that the SCC’s as approved by the EU Commission under Decision 2001/497/EC, Decision 2004/915/EC and Decision 2010/87/EU are now obsolete and this is generating some confusion and concerns.
On July 9th, the Court of Justice of the European Union (CJEU) heard oral arguments in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”) where the validity of the SCC’s was questioned. Before the decision of the CJEU, which is expected during the first quarter of 2020, the Advocate General (“AG”) will publish his opinion and any decision coming out from here will have a huge impact on business interactions.
In my opinion, the SCC’s should not be invalidated as a lawful mechanism to transfer data outside the EU, however, the EU Commission must update them, in order to adapt them to the new provisions of the GDPR. Currently, the obligations imposed to Data Exporter and Data Importer under the SCC’s are no different or even less rigid than the ones imposed to Controllers and Processors under the GDPR and considering that Processors are now directly responsible for Privacy compliance and are required to appoint an EU Representative when they are not based in the territory of the EU, a big improvement on data protection enforceability, which was hard to explain under the SCC’s, is now a reality.
The obligations of the EU Representative must also be clarified by the EU Commission or the CJEU, because we don’t really know whether Data Protection Authorities can impose fines to the Representatives for privacy breaches of a Non-EU Controller or Processor nor how these should be reimbursed later on by the Controllers or Processors. Such process would make sense but would require companies to draft proper contracts with their Representatives, grant indemnification rights to the Representatives and probably impose insurance obligations on both parties to cover privacy breaches.
To conclude, in order to be used as a valid mechanism to transfer personal data from the EU to third countries, the SCC’s need to be reviewed to extend the protection already granted by the GDPR and to clarify certain requirements to ensure its enforceability.
STANDARD CONTRACTUAL CLAUSES WHEN CONTROLLER IS A NON-EU ENTITY
Another issue around the applicability of the SCC’s is regarding its use when Controllers are not based in the EU. It is very common to find Non-EU Controllers using SCC’s to transfer personal data of EU data subjects to third countries, even though the SCC’s approved by the European Commission are designed to cover only transfers from EU Controllers to Non-EU Controllers or Non-EU Processors.
Non-EU Controllers can take this approach by either incorporating the SCC’s in the Services Agreements they raise with Non-EU Processors or by having their EU Representative raising SCC’s with Non-EU Processors on their behalf as for Non-EU Controllers it’s also common to find SCC’s signed between two Non-EU Controllers where there are no Binding Corporate Rules (BCR’s) in place.
We all agree that the SCC’s are a fundamental tool to maintain the flow of personal data between the Community and third countries without unnecessary burdens for economic operators, however we cannot forget the scope of applicability of the SCC's and specially that there are other mechanisms, including other appropriate safeguards, to ensure that personal data is protected abroad, as well as legal derogations to legitimate such transfers.
So my concern here is whether the use of SCC’s outside the scope of its applicability can be an issue to companies instead a way to protect them against Supervisory Authority’s fines. Is the use of SCC’s by Non-EU Controllers considered lawful and a legitimate legal fiction or may it on the contrary be seen as an intent to skip approval from Supervisory Authorities on Model Clauses (art. 46/3a) GDPR?
I believe that the SCC’s as approved by the EU Commissions should be used as a legal mechanism to transfer data abroad only when data exporter is the EU Controller, this doesn’t invalidate the fact that Non-EU Controllers can draft contracts with other Controllers/Processors based outside the EU and include same terms and conditions as provided by the SCC’s to ensure third parties protect personal data abroad.
So, if a Supervisory Authority investigates transfers of data from a Non-EU Controller to a Non-EU Processor, it should not expect to find SCC’s signed between these parties, but rather information on Records of Processing Activities (RoP) or Data Protection Impact Assessment (DPIA) regarding these transfers, the appropriate safeguards used or alternatively the derogation the Controller relied on to perform the transfers as well as the necessary informed consents (when applicable) or privacy notices explaining the conditions of the processing including the international transfers of data and the recipients of personal data abroad and the relevant data processor agreements imposing certain security measures to Processors to ensure protection of data in third countries.
To conclude, until there’s no Decision of the EU Commission approving a new model of SCC’s to be used by Non-EU Controllers, SCC’s are not a valid mechanism for Non-EU Controllers to transfer data abroad and Non-EU Controllers should rely on alternative appropriate safeguard or on legal derogations to transfer the data. In practical terms, if SCC’s aren’t used nor any other appropriate safeguards as defined under art. 46 of the GDPR, Non-EU Controllers in order to ensure any transfers are lawful must use one of the available derogations under the GDPR and comply with certain requirements as specified in the law, which will grant some protection or extended information to data subjects.
DCA
