New SCCs pose new challenges for onward transfers!

If 2018 may forever be known for the “strongest seismic wave in the privacy world” caused by European Union’s (EU) General Data Protection Regulation (GDPR) becoming effective, 2020-21 will probably be remembered as a year of “tremors in cross-border data transfers”, thanks to non-stop global debate on validity of standard contractual clauses (SCCs) as an international data transfer mechanism triggered by Schrems II decision when the validity of the SCCs was considered by the Court of Justice of European Union (CJEU).

For those who are unfamiliar, the GDPR restricts transfers of personal data to third countries that have not been accorded “adequacy” status by the European Commission (EC) for having GDPR like protections.?While there are number of exceptions to “no third-country transfer” rule, for many transfers, the use of SCCs under Article 46 of the GDPR (Transfer SCCs) is the only practical solution, which are effectively a contract ‘pre-approved’ by the EC. These are not be confused with the non-mandatory SCCs under Article 28 of the GDPR for use as data processing agreements within the EU between controllers and processors.

Even regarding the Transfer SCCs, the CJEU stated that data transfers based on these are prohibited if the data exporter was not able to ensure an adequate level of data protection. This prompted thousands of companies importing data from the EU and wishing to rely upon the Transfer SCCs to review their existing protocols to ensure that their current levels of protection are adequate and, if not, implement additional measures designed to provide an adequate level of data protection. Because this could be an expensive and challenging effort to undertake for several businesses, companies with global operations have been eagerly looking forward to the new Transfer SCCs as they rely upon these clauses for their daily operations, such as cloud services, social media network or internal processes around human resources.

Why do you need new Transfer SCCs?

The earlier version of Transfer SCCs (Old Transfer SCCs) was adopted before the GDPR took effect. ?In addition, since Schrems II decision called into question the reliability of the SCCs, the need to adopt new SCCs became even clearer. This led to the EC adopting an implementing decision on 4 June 2021, containing new SCCs for controllers and processors to transfer personal data out of the EU to third countries (New Transfer SCCs).

Can you even use the New Transfer SCCs?

Unlike the Old Transfer SCCs, the EC seems to have proposed different regulatory mechanism for various classes of data importers through Recital 7 of implementing decision for New Transfer SCCs. Recital 7 provides that the New Transfer SCCs can only be used where the processing by the data importer does not fall within the scope of the GDPR. Notably, the old Transfer SCCs did not impose any such condition on the “data importer” which means that if you were receiving EU personal data in a third country, then you could use the Transfer SCCs as a valid data transfer mechanism, no matter your processing is subject to the GDPR or not. Recital 7 on the other hand prima facie suggests a “class” approach where data importers processing data under Article 3.2 of the GDPR (extraterritorial application) cannot use the New Transfer SCCs. Conversely, such data importers will have to wait for another set of SCCs to receive data from the EU, an assessment further supported by the minutes of the EDPBs 54th Plenary meeting. However, given the expansive nature of jurisdictional coverage of GDPR (also confirmed by guidelines issued by European Data Protection Board), where processing by most of the businesses outside the EU is covered by the GDPR, the limitation in Recital 7 would mean that the New Transfer SCCs cannot be used in many transfers involving EU data.?

A conflict within?

Before the New Transfer SCCs there was no clear mechanism for non-EU importer to lawfully transfer data it receives onwards to third party recipients, although the Old Transfer SCCs provided for sub-processors becoming a party to these clauses with the original data exporter to ensure back-to-back obligations around GDPR compliance. The New Transfer SCCs for the first time provide for an official data transfer mechanism for onward transfers, provided the data importer is subject to the GDPR.

For clarity, consider a German company subject to the GDPR offering goods and services to data subjects in the EU but using an Indian company as a processor (e.g., customer care call center). There, the processing by the Indian processor is "related to" the offering of goods and services (by the German controller) to data subjects in the EU and hence processing will be subject to the GDPR so the parties cannot use the New Transfer SCCs going by the literal interpretation of Recital 7. However, for any onward transfers by Indian processor to a non-EU country, Recital 7 also says that the Transfer SCCs may be used for:

“the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behavior as far as it takes place within the Union.”

This means that, if the importer (the Indian processor) is subject to the GDPR, then the New Transfer SCCs are to be used for any "onward transfer" i.e., any transfer from the Indian processor to any third party not in the EU.

However, this comes with significant practical challenges. For instance, what do you do if your onward recipient denies signing the New Transfer SCCs or agrees to sign only if you countersign as the data exporter? The latter throws up a further challenge because you are not the data exporter, you are a data importer so not technically eligible to sign the New Transfer SCCs.

This also calls into question the very concept of the so called “docking clause” in the New Transfer SCCs. In this regard, it is unclear as to how could the initial importer pass on the contractual obligations (docking clause) to the subsequent recipient as initial importer has not signed any such contract in the first place with the EU exporter, so the question of back-to-back obligations envisaged by docking clause does not arise at all.

Global businesses may also be looking at a potential direct conflict between the prescribed set of SCCs for initial export of data and onward transfers where the initial non-EU importer subject to the GDPR cannot use the New Transfer SCCs for receiving data but is required to use the same for onward transfers.

What next?

When implemented on its face value and considering the minutes of EDPB’s 54th plenary meeting, it may not be difficult to conclude that the use of New Transfer SCCs for processing by the data importer in third countries subject to the GDPR would be de facto prohibited as of 28 September 2021. ?This makes it clear that large number of data transfers to third countries would ostensibly have to wait for the EC to release SCCs designated specifically for initial non-EU data importers directly subject to GDPR (GDPR Specific SCCs). What remains unclear, however, is how such initial data importers will pass on the contractual obligation to subsequent transferee in non-adequate countries when it has not signed the GDPR Specific SCCs themselves.

Therefore, if you are a global business that previously relied upon Transfer SCCs to transfer data, there is no clear guidance on what to do currently. While many companies engaging in onward transfers (which is the case with most organizations given the technological landscape of modern businesses) may face very complex contractual situation if they move data between the EU and third countries waiting for a clarification from the EC on the mechanism for onward transfers, these companies may have to take some very tough decisions to negotiate or not the New Transfer SCCs or continue with the old version executed before the stated deadline. ?Moreover, by the time the regulators come out with a clarification that for onward transfers the GDPR Specific SCCs are to be used, the grace period might have expired or be considerably short thereby placing the organizations in a tough spot, because contract negotiations are not concluded overnight and depending on the complexity of transactions in some cases may take several months. Conversely, this would make another grace period a necessity at least for those businesses that have been waiting for a clarification from regulators rather than implementing the New Transfer SCCs.

?

?

?

?