At the request of the European Commission, on January 15, the EDPB and the EDPS issued joint opinion 2/2021 (Joint Opinion) on the draft new transfer SCCs and the corresponding draft Commission Implementing Decision (Draft Decision). As we described in a prior blog post, the new transfer SCCs have been designed to take into account the shortcomings identified in the CJEU’s Schrems II decision and therefore include specific provisions dealing with cases of governmental access requests.
On the same date, the EDPB and the EDPS also adopted joint opinion 1/2021 on the other new set of standard contractual clauses for contracts between controllers and processors under Article 28(7) GDPR (new C-P SCCs).
General comments on the Draft Decision and the new transfer SCCs
Both the EDPB and the EDPS welcome the fact that the new transfer SCCs strive to (i) bring the existing sets of SCCs in line with the GDPR, (ii) better reflect the growing complexity of novel processing operations and evolving business dynamics, and (iii) provide for specific safeguards to deal with governmental access requests from public authorities in the third country in which the data importer is located.
Interplay with the EDPB Recommendations on supplementary measures
The EDPB and the EDPS recall that the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (covered in a prior blog post) will remain relevant. This means that in the view of the data protection authorities the new transfer SCCs cannot be construed as a fit-for-all standalone solution. Instead, there will still be cases where the new transfer SCCs will need to be further complemented through supplementary technical, contractual and/or organizational measures to ensure an adequate level of protection of personal data.
Scope of the new transfer SCCs
Under the Joint Opinion, the EDPB and the EDPS shed some light on the controversial issue regarding the interplay between Chapter V of the GDPR with regard to international data transfers and the territorial scope of the GDPR under Article 3(2). The reviewing bodies take the view that the Draft Decision does not seem to cover transfers to non-EEA data importers that are already subject to the GDPR under Article 3(2) in relation to a specific processing activity. Accordingly, the reviewing bodies want to exclude scenarios where the importer is already subject to the GDPR from the notion of “transfer” for which the transfer SCC apply.
Unlike their predecessors, the new transfer SCCs adopt a modular approach that cater to various transfers scenarios: controller to controller, controller to processor, processor to processor and processor to controller (see here our summary). Although the feedback of the EDPB and the EDPS with regard to the proposed modular approach seems to consolidate as a welcomed attribute despite its novelty, there are still concerns around whether the combination of different modules within a single set may eventually lead to the blurring of roles and responsibilities among the parties. The Joint Opinion suggests that this aspect should be further clarified by the EC, by shedding some light on the way in which the new transfer SCCs are expected to function in practice and whether different modules can be covered within one single set of SCCs.
Interplay with the new C-P SCCs
The EDPB and the EDPS consider that the Draft Decision must include a clear explanation regarding the articulation and interplay between the new transfer SCCs and the new C-P SCCs, in particular, by making it clearer that the parties will still need to rely on the new transfer SCCs in the event of international data transfers of personal data.
Moreover, the EC is asked to provide clarifications on the type of clauses that could be considered as contradictory, either directly or indirectly, to the new transfer SCCs.
Third party beneficiaries
Given the importance of third party beneficiary rights for both data subjects and controllers and processors relying on the new transfer SCCs, the EC should provide a “white-list” of rights that can be enforced by data subjects, instead of listing those which are not enforceable.
The reviewers welcome the inclusion of the docking clause allowing a third party to become a new party to the new transfer SCCs. However, the EDPB and the EDPS recommend to clearly specify the qualification, role and responsibilities of the parties to the contract via the relevant Annex, in addition to setting out the relevant processing activities in detail, as well as clarifying the accession mechanism.
Local laws affecting compliance with the new transfer SCCs
The EDPB and the EDPS recommend to include an additional annex to the new transfer SCCs requiring the parties to document, prior to entering into the contract, the data transfer assessment carried out. The Joint Opinion emphasizes the fact that the exporter, with the assistance of the importer, has the responsibility to identify the necessary supplementary measures in line with the principle of accountability. Therefore, the Joint Opinion confirms that supervisory authorities are not expected to provide such assistance.
Notable, the EDPB and EDPS reject the risk-based approach taken by the EC with regard to the risk assessment relating to government access request in the third country of the importer. Particularly, the Joint Opinion stresses that, for example, the absence of requests for disclosure from public authorities are not relevant factors for the purposes of the local law assessment.
With respect to modules one (controller to controller) and four (processor to controller), the EDPB and the EDPS call for an amendment in the sense of providing a full joint and several liability where each party would be responsible for the damage solely caused by the other party. With respect to modules two (controller to processor) and three (processor to processor), the Joint Opinion points out that the possibility to seek redress from the data exporter for any material or non-material damages caused by the data importer should not be conditioned by an action against the data importer.
The EDPB and the EDPS take the view that the Annexes to the transfer SCCs describing the processing activities covered by the transfers SCCs in the individual case must ensure sufficient precision to determine who fulfils which role with regard to a particular transfer / set of transfers. Consequently, a new and separate Annex will be required per each transfer / set of transfers, which should only be signed by those parties involved in effectively carry out the specific processing (including those acceding to the clauses).
Furthermore, the EDBP and the EDPS recommend that the Annex describing technical and organizational measures must only contain those specific measures that apply to the respective transfer / set of transfers in order to avoiding generic descriptions that relate to a variety of transfers.
The Joint Decision stresses the need to enlist each and every sub-processor, including their location, the processing operation(s) and type of implemented safeguards, to enable the controller to authorize their use in line with Article 28(2) GDPR.
Key findings per module
Module One (controller to controller transfers)
As this module appears to cover transfers between independent or separate controllers, the EDPB and the EDPS highlight the need for the EC to assess and clarify whether it could also be used in joint-controllership scenarios.
Other issues identified in the Joint Opinion relate to transparency (e.g. the data importer must provide information to individuals in line with Articles 14(1) and (2) GDPR), security (e.g. the parties shall consider encryption in transit and anonymization/pseudonymization, where this does not prevent fulfilling the purpose) and onward transfers (e.g. the need to include a commitment from the data importer to notify the data exporter of onward transfers).
Module Two (controller to processor transfers)
The EDPB and the EDPS are of the opinion that there are several instances where the wording in this module conflicts with Article 28 GDPR requirements. For example, the new transfer SCCs provide that upon termination of the services, the data importer shall delete or return all personal data, whilst Article 28(3) GDPR states that deletion or returning take place at the choice of the controller. Similarly, the audit provisions under the new transfer SCCs allowing for audits conducted by an independent auditor mandated by the data importer should be brought more closely in alignment with the GDPR, where the decision about the auditor has to be left to the controller.
Module Three (processor to processor transfers)
With regard to this module, the EC is urged to clarify whether the controller will actually be expected to sign the clauses or whether the processor and sub-processor will only need to identify the controller in the corresponding Annex. Also, the controller’s right to give further instructions regarding the processing cannot be limited in any way. Other issues identified relate to erasure and return of data and security of processing (for which similar comments as in module two apply).
Module Four (processor to controller transfers)
The EDPB and the EDPS recognize that the scope of this module is limited to transfers between a processor subject to the GDPR to its own controller not subject to the GDPR, but excludes transfers from such a processor to any other controller. However, the EC is expected to clarify the scope of Module Four, and to further supplement it by including all necessary provisions under Article 28 GDPR directly applicable to the processor (e.g. commitment by the processor with regards to confidentiality obligations under Article 28(3)(b) GDPR, data breach notification obligations under Article 33(2) GDPR, sub-processing provisions under Article 28(3) and (4) GDPR, and mutual assistance and support).
All in all, the EDPB and the EDPS have clearly aimed to ensure that the new SCCs provide the maximum level of protection that a contractual mechanism may afford. They have consciously and meticulously examined the draft and identified every instance where reinforcements can be made. Now the EC must decide whether to accommodate all of these views or opt for some compromises for the sake of pragmatism. This will be an important decision as the new SCCs are bound to play a critical role in protecting global dataflows for the years to come.
Authored by Paula Garcia, Henrik Hanssen and Laur Badin.