ICQ Log - Data Protection & Information Security 

Time to Act: New Standard Contractual Clauses and Practical Considerations for Financial Institutions

 

Last Updated: 01 June 2021

In this article Flavien Corolleur, Senior Legal Counsel/ Director and Data Protection Officer at SS&C Financial Services (Ireland) Limited and member of the ACOI DP&IS Working Group, examines new GDPR Standard Contractual Clauses (SSCs) along with practical matters to consider when preparing for the new GDPR SCCs regime. 

Many companies have been relying for over 20 years on the standard contractual clauses (“SCCs”) set out in the Decisions 2001/497/ EC and 2010/87/EU for the transfer of personal data to third countries and processors established in such countries under the Data Protection Directive 95/46/EC. When the new European Union (“EU”) data protection regime took effect on 25 May 2018 in the form of the EU General Data Protection Regulation (“GDPR”), a new set of modernised SCCs was expected to be published for the purposes of Article 46 of GDPR.

On 16 July 2020, the Court of Justice of the European Union (“CJEU”) published the decision (C311/18 Irish Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems) “Schrems II Decision” in connection with the EU-US Privacy Shield and SCCs. In this decision, the CJEU invalidated the EU-US Privacy Shield, yet it also confirmed the SCCs remained valid. The European Commission subsequently published a draft implementing a decision on SCCs (“GDPR SCCs”) 1 on 12 November for public consultation. Subsequently, the European Data Protection Board (“EDPB”) 2 published draft recommendations on measures supplementing transfer tools to ensure compliance with the EU level of protection of personal data Supplementary Safeguards Measures 3 on 11 November 2020 also for public consultation (“Supplementary Measures”).

 

With the final GDPR SCCs 1 just published at time of writing on 4 June 2021 and the final version of the Supplementary Measures published on 21 June 2021, this article will first give a general overview of the GDPR SCCs followed by a list of practical matters to consider when preparing for the new GDPR SCCs regime. This article will also look at some challenges, such as the project management component and data flows between the UK and the EU, pending an adequacy decision and the UK potentially publishing its version of SCCs.

 

General Overview of the GDPR SCCs

The contractual construct of the GDPR SCCs

The GDPR SCCs consists of four main sections and three annexes.

The first general section (1) describes the purpose and scope of the GDPR SCCs, (2) clarifies which terms of the GDPR SCCs may be invoked and enforced by data subjects as third party beneficiaries, (3) indicates any terms used in the GDPR SCCs have the meaning given to them under GDPR, (4) clarifies the GDPR SCCs terms will prevail should there be any conflict with any other agreement the parties to the GDPR SCCs may have entered into and (5) describes the transfer. In addition, the first general section includes an optional clause (the “docking clause”) according to which the parties to the GDPR SCCs may wish to add a third party either as data exporter or data importer by completing and signing Annex A.1.

 

The second section, specific to the parties’ obligations, adopts a “modular approach” and offers four options, depending on the type of processing and parties associated with such processing. The four modules of the GDPR SCCs are:

(1) controller to controller,

(2) controller to processor,

(3) processor to processor; and

(4) processor to controller.

 

The modular approach applies to both the basic terms as regards data protection safeguards (such as accuracy and data minimisation, storage limitation, security of processing and reporting of a data breach) and provisions in connection with local laws, which may affect compliance with the GDPR SCCs, including the use of sub-processors and liability terms.

 

The third section of the GDPR SCCs relates to the local laws and obligations governing access by public authorities. In particular, the parties to the GDPR SCCs must conduct and document an assessment in connection with the laws and practices in the third country of destination applicable to the processing of the personal data.

 

The fourth section of the GDPR SCCs features various general provisions to include, for instance, the obligation on the data importer to promptly inform the data exporter if it is unable to comply with the GDPR SCCs. GDPR SCCs should be governed by the laws of an EU Member State, provided that such laws allow for third-party beneficiary rights.

 

Lastly, the GDPR SCCs include three annexes, namely to describe (1) the list of parties, the type of transfer and competent authority, (2) the technical and organisational measures agreed between the parties and (3) the list of sub-processors.

Are there any significant differences between the existing SCCs, draft GDPR SCCs of November 2020 and the final GDPR SCCs?

Yes. In addition to the modular approach outlined above and the risk-based approach adopted in the GDPR SCCs, some of the material differences may be summarised as follows.

 

Liability and indemnification

The existing SCCs include an optional indemnification provision pursuant to which the parties agree that, if one party is held liable for a violation of the SCCs committed by the other party, the latter party will, to the extent to which it is liable, indemnify the first party. A similar indemnification provision proposed as mandatory in the November 2020 version of the GDPR SCCs was removed from the final GDPR SCCs.

 

Each of the four modules includes a liability section consistent with the liability regime set out under GDPR. Art. 82.3 of GDPR however clarifies that a controller or processor is exempt from liability under Art. 82.2 of GDPR if it proves that it is not responsible for the event giving rise to the damage.

 

Obligation to provide a copy of the GDPR SCCs to data subject

On request, the parties to the GDPR SCCs need to make a copy of the GDPR SCCs including the annexes available to the data subject free of charge. While the parties may redact part of the text of the annexes prior to sharing a copy to protect business secrets or other confidential information, they should (1) provide a “meaningful summary” where the data subject would otherwise not be able to understand its content or exercise his/ her rights and (2) on request, provide the data subject with the reasons for the redactions “to the extent possible without revealing the redacted information”.

 

How much time do we have to act?

Further to being published in the EU Official Journal on 7 June 2021 5 , the GDPR SCCs will enter into force on 27 June 2021. Existing SCCs may continue to be used until 27 September 2021.

 

However, existing SCCs entered into before 27 September 2021 will need to be replaced by the final GDPR SCCs by 27 December 2022.

 

A careful and detailed review of the final GDPR SCCs will be required to assess any material changes from the draft GDPR SCCs published in November 2020, given that the European Commission took into account the 148 feedback submissions from the public consultation and the joint opinion. 1/2021 6 issued by the EDPB and European Data Protection Supervisor (“EDPS”) 7 in January 2021 (“Joint Opinion”).

 

Practical Considerations for your Business

Should the GDPR SCCs be entered into as a standalone contractual arrangement?

Not necessarily. The parties to the GDPR SCCs are free to include the GDPR SCCs in a wider contract, namely the primary commercial agreement between the parties.

 

Can the GDPR SCCs be negotiated by the parties entering into this transfer mechanism?

Yes. While the data exporter and data importer may not amend the terms set out in the GDPR SCCs, the parties may add other clauses or additional safeguards “provided that they do not contradict, directly or indirectly, the [SCCs] or prejudice the fundamental rights or freedoms of data subjects.”

 

Specific provisions to consider?

While the CJEU confirmed in the Schrems II Decision that SCCs remain valid on the basis, amongst other things, it “incorporates effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law”, the data exporter and data importer should provide additional safeguards in using contractual commitments supplementing the SCCs. The focus, therefore, would be for the financial institutions, both as data exporter and data importer, to assess what “Supplementary Measures” may need to be implemented, in addition to the technical and organisational measures already in place.

 

Assessment of the law in the relevant third country

The parties to the GDPR SCCs, amongst other things, must warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under the GDPR SCCs. The risk-based assessment of the laws and practices of the third country of destination must be documented and made available to the competent data protection authority on request.

 

Supplementary Measures?

The EDPB and EDPS have indicated in their Joint Opinion that the assessment of the legislation of the third country of destination, which may prevent the data importer from fulfilling its obligations under the GDPR SCCs in connection with a specific transfer, should be based on “objective factors” regardless of the likelihood of access to the personal data. Objective factors include aspects such as (a) the purposes for which the data are transferred and processed (e.g. marketing, HR, storage, IT support), (b) the types of entities involved in the processing (public/private), (c) the sector in which the transfer occurs (e.g., telecommunication, financial), (d) the categories of personal data transferred and, (e) the format of the data transferred (i.e. in plain text, pseudonymised or encrypted).

In addition, the final version of the Supplementary Measure includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.

 

What else?

Financial institutions may also wish to monitor any communication from the European Parliament. A press release dated 20 May 2021 indicated that the European Commission should issue clear guidelines on making data transfers compliant with recent CJEU rulings, which would be particularly welcoming for SMEs 8 .

 

Challenges

Project management and implementation

However, not always considered concerning regulatory changes and related impact to address such differences, two of the most apparent challenges relate to the “volume” to tackle and “time” permitted to complete such changes! Now that the final GDPR SCCs have been published, financial institutions will have up to 18 months to take on the exercise of transitioning from the current SCCs to the GDPR SCCs both with their delegates (acting as processors) and their vendors (acting either as controllers or processors). In other words, financial institutions may wish to create a task force whose primary task will be to prepare an implementation project plan and related timeline, if not already initiated.

 

Data flows between the UK and the EU

On 19 February 2021, the European Commission launched its procedure for the adoption of two adequacy decisions (“UK Adequacy Decisions”) for transfers of personal data to the United Kingdom under GDPR and the Law Enforcement Directive 1 . In April 2021, the EDPB published an opinion on the draft UK adequacy decisions 2. The UK adequacy decisions, if approved, will be granted for four years and can be renewed for another four years following a review by the European Commission. The European Commission may also suspend, repeal or amend the UK adequacy decisions at any given time during the four years if there is any indication an adequate level of protection is no longer ensured in the UK.

 

At the time of writing, it is understood that the Committee established under Art. 93 of GDPR approved the UK Adequacy Decisions. Provided that the UK Adequacy Decisions are published in the EU Official Journal before the transition period ending 30 June 2021, the UK will not become a “third country,” meaning that transfers of personal data from the EU to the UK may continue without the need to put in place additional safeguards such as the GDPR SCCs.

 

Development of standard contractual clauses outside the EEA

Another challenge certain institutions may encounter is where a financial institution based in the EU provides services to a client based in certain jurisdictions within Asia, such as Singapore, and collects and processes personal data from that Singapore legal entity and its customers. The Singapore Personal Data Protection Commission (“PDPC”) issued on 22 January 2021 Guidance for the use of the Model Contractual Clauses published by the Association of Southeast Asian Nations (ASEAN) for Cross Border Data Flows in Singapore 11 .

 

The PDPC, recognising and encouraging the ASEAN Model Contractual Clauses (ASEAN MCCs), has indicated that the ASEAN MCCs are for voluntary adoption. The parties may continue using their preferred contractual templates for crossborder data transfers out of Singapore, provided they are compliant with the Singapore Personal Data Protection Act. The ASEAN MCCs provide two modules (Controller-to-Processor and Controller-to-Controller) for use in the relevant transfer scenario and include sample commercial components covering, for instance, the choice of law disputes or suspension of transfer.

 

Conclusion

Given the challenges outlined above, namely the likely high volume of SCCs to be repapered and the 18 month timeline to implement the new GDPR SCCs in replacement of existing SCCs, financial institutions should create a task force to prepare an implementation project plan and related timeline.

 

In the meantime, financial institutions should conduct a careful and detailed review of the final Supplementary Measures to assess any material changes from the draft Supplementary Measures published in November 2020 and closely monitor any developments and related communications from the European Commission, the EDPB and EDPS and the European Parliament.  

References:

  1. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Data-protection-standard-contractual-clauses-for-transferringpersonal-data-to-non-EU-countries-implementing-act-_en
  2. The EDPB is an independent European body composed of the EU national data protection authorities which, amongst other things, provides general guidance to clarify the law and to promote a common understanding of EU data protection laws
  3. https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/recommendations-012020-measures-supplement_en
  4. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/ standard-contractual-clauses-international-transfers_enhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
  5. https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-12021-standard_en
  6. The EDPS is the EU independent data protection authority and, amongst other things, advises the European Commission, the European
  7. Parliament, and the Council on proposals for new legislation and other initiatives related to data protection 8 https://www.europarl.europa.eu/news/en/press-room/20210518IPR04206/data-protection-meps-call-for-clear-guidelines-on-transferof- data-to-the-us
  8. https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661
  9. https://edpb.europa.eu/news/news/2021/edpb-opinions-draft-uk-adequacy-decisions_en
  10. https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Singapore-Guidance-for-Use-of-ASEAN-MCCs.pdf?la=en
  11. The European Parliament passed a resolution on 21 May 2021 to ask the European Commission to amend the UK Draft Adequacy Decisions with a view to “making them fully consistent with EU law and case law” https://www.europarl.europa.eu/news/en/press-room/20210517IPR04124/dataprotection-meps-urge-the-commission-to-amend-uk-adequacy-decisions
  12. https://edpb.europa.eu/news/news/2021/edpb-adopts-final-version-recommendations-supplementary-measures-letter-eu_en
Lawyer Photo

Author:

Flavien Corolleur

Senior Legal Counsel and Data Protection Officer at SS&C Technologies

 

 

ICQ Summer Edition 2021

This article was taken from the ACOI's ICQ Summer Edition 2021