On August 7 the Centre of Information Policy Leadership (CIPL) published their white paper titled: “Key Issues Relating to Standard Contractual Clauses for International Transfers and the Way Forward for New Standard Contractual Clauses under the GDPR,” as part of the input phase for the European Commission’s continued efforts to update the Standard Contractual Clauses (SCCs).
The SCCs are a set of standard contractual terms designed to protect personal data that leaves the European Economic Area (EEA) by creating a legal agreement between the data exporter and the data importer. SCCs are by far the most popular mechanism for organisations transferring personal data outside the EEA in situations where “adequate safeguards” are required.
Organisations of all shapes and sizes, who regularly export personal data from the EEA, should pay close attention to development in this area. This is of particular importance for those based in the UK, or who transfer data to the UK, as it is likely that the SCCs will be the go-to mechanism for continuity of EU/UK data processing operations in the event of a no-deal Brexit.
The CIPL white paper serves as an exercise to highlight the main challenges faced under the current SCCs, as well as proposing some practical solutions to such challenges for when the next generation of SCCs are produced. This post discusses the key challenges identified in the white paper, including the rigidity of SCCs, their overlap with Art 28 of the GDPR and the lack of a “grandfather clause” to reduce administration.
The rigidity of the current SCCs
In order to be effective, the SCCs must have a high degree of standardisation. However, in their current format, there are many barriers which prevent their efficient operation.
Firstly, the SCCs only support two parties entering them: the data exporter and the data importer. There are no provisions to enable multiple parties to enter into the same contract. With the ever-increasing complexity of global processing operations, lack of support for non-linear trans-border transfers may stifle such operations and have a knock-on impact on global trade. To address this barrier, the next generation of SCCs should account for the fact that multiple parties may wish to sign up to them for a processing operation.
Furthermore, the SCCs currently only exist in controller to processor (C2P) format, with no consideration of transfers which may be processor to processor (P2P) or joint controllership (JC) in nature. This has led to the bizarre situation whereby processors have been stylising themselves as controllers in order to use the C2P clauses, in lieu of there being nothing else to facilitate such transfers. The CIPL has cleverly suggested that the next generation SCCs are presented in a single, electronic template from which parties select the format of the relationship between them (i.e., C2P, P2P, JC, multiparty etc) from a drop-down menu. Once this selection has been made, a bespoke template to the selected situation is formed. Although an innovative and elegant proposition, it will be interesting to watch this space in order to see how such a solution is deployed practically.
The Relationship between Article 28 GDPR and the SCCs
Article 28(3) GDPR requires that “processing by a processor shall be governed by a contract.” In certain trans-border processing, this will mean that both the requirements of the SCC and Article 28(3) will need to be met. Due to their age (first being published in 2010), some incompatibilities now exist between the SCCs and the GDPR (which came into force in 2018). These incompatibilities range from new redundant clauses to direct contradictions.
It has been proposed that the Commission offer further clarity surrounding this whilst developing next generation of SCCs, creating a distinct line between the requirement of Article 28(3) and the requirements for international transfers of personal data under the SCCs. The CIPL has suggested this could be done by giving parties the option to include or exclude the requirements of Article 28 from the SCCs and instead include them in the underlying commercial contract or reach a decision whereby the SCCs themselves can serve as the governing contract for the processing itself.
Grandfather clause for SCCs already in place
As previously stated, the SCCs are currently the most popular mechanism to enable personal data transfers from the EEA to third countries. Organisations of all business models and sizes have many of these agreements already in place as part of their ongoing processing operations. It is estimated by the CIPL that some of the larger companies with significant global data processing operations could have as many as 10,000 arrangements relying on the SCCs in place. A change in the requirements of the SCCs presents an administrative nightmare for such organisations, bordering on the realms of impossibility.
CIPL directly floated the idea of a “grandfather” clause, because it would allow existing iterations of the SCCs already in place to remain in force when the next generation SCCs are deployed. Over time, these could be updated to the newer edition without the administrative burden of having to do it all at once.
Although the next generation of SCCs is in the very early stage of development, the CIPL white paper nevertheless sheds some initial light on how they may potentially develop and how lobbying groups will approach the subject. It is an area of particular interest for those involved in data protection, especially for EU/UK, EU/international and UK/international data processing operations.
For more information on the current SCCs, how the next generation SCCs are developing or any other issues related to data protection please feel free to get in contact with our team.