On May 25th 2022, the European Commission published a series of questions and answers on the SCCs to be used between controllers and processors within the European Economic Area (EEA), and the SCCs to be used for transfers to countries not considered adequate by the European Commission (Third Countries) (the Q&As).
The text of the Q&As is available here
The Q&As consists of 44 questions and answers, which cover topics including the background to the SCCs; how SCCs interact with broader commercial agreements (in which they may be incorporated); use of the ‘docking clause’; and the types of transfers to Third Countries for which the SCCs should be used.
In this short blog-post, we focus on several of the questions that we consider are of particular interest with respect to the transfers of personal data to Third Countries, along with our take on the potential considerations parties should have in light of the answers provided by the European Commission.
- Questions 6, 10 and 12: Signature of the parties to the SCCs
The answers to these questions indicate that the European Commission anticipates that the parties to the SCCs must sign Annex 1 of the SCCs (with the answer to question 12 regarding accession of a new party including the following statement: “the new party will need to complete the Annexes and sign Annex I of the SCCs in order to make such accession effective. Amending the main agreement to which the SCCs are annexed, by adding parties to that agreement, is not sufficient to add parties to the SCCs”). However, it also states “the SCCs do not contain any requirement on how the signature should be formalised (eg, whether it can be done electronically). This is left to national (civil/ contract) law governing the agreement.”
Our take: A number of organisations take the approach of deeming the SCCs signed once the applicable parties sign the main commercial agreement in which the SCCs are incorporated.
We do not read the European Commission’s answers as precluding this practice; but it will be important to be certain that any such mechanism is effective under the governing law of the SCCs and the main agreement that the SCCs support. In some cases, this may require more explicit wording as to the dual effect of signing the main agreement.
- Questions 8 and 35: Limitation of liability under the SCCs
The answers to these questions state that (a) liability of the parties towards data subjects under the SCCs; and (b) liability between the parties under the SCCs cannot be contradicted or undermined by clauses in the main commercial agreement in which the SCCs may be incorporated.
Our take: Generally, most organisations entering into the SCCs have taken the view that liability towards data subjects cannot be limited (and we often see explicit drafting on this point).
The position regarding unlimited liability between the parties is more controversial and given that SCCs cover more than just export (ie security standards, breach notification and data subject right response assistance) is likely to be cited heavily by exporters in commercial negotiations going forwards.
- Question 24: Application of the SCCs where Article 3 of the GDPR directly applies to the importer
The answer to this question is clear that the SCCs cannot be used for transfers from the EEA to organisations in Third Countries where those organisations are directly subject to the GDPR.
The European Commission is in the process of developing an additional set of standard clauses to apply to this scenario. There is no direction as to what to do until these become available.
Our take: Article 7 of the European Commission’s implementing decision on the SCCs and the EDPB Guidelines on the interplay between Art 3 and Chapter V of GDPR[1] made the same point and it is taking some time for the European Commission to publish the alternative clauses.
The rationale for using alternative clauses is that the provisions in the SCCs are less exacting than the direct application of the GDPR and so the Commission and EDPB are concerned about the importer being excused full performance. The UK International Data Transfer Agreement (IDTA) has already addressed this issue by dissapplying certain IDTA obligations where the UK GDPR applies directly to the Third Country importer whilst applying all of the IDTA obligations to any onward transfers made by the Third Country importer – it seems likely the EU Commission will take a similar approach.
If it wasn’t for the need to undertake a transfer impact assessment alongside each transfer under SCCs most exporters would have insisted on imposing the controls set out in the SCCs on importers directly subject to the GDPR. However, the opportunity to avoid undertaking a transfer impact assessment coupled with these regulatory warnings has meant many importers have successfully resisted exporters’ attempts to impose SCCs as a precaution. It should be noted that the UK IDTA still requires a transfer impact assessment when transferring to a Third Country importer directly subject to the UK GDPR, so the Commission alternative clauses may well also include such a requirement.
[1] https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en