Challenges of using SCCs for the transfer of personal data outside of the EEA: what the EU Commission didn’t tell you

On 04 June 2021, the EU Commission adopted two sets of Standard Contractual Clauses (SCCs), with one of them being designated for the transfer of personal data to countries outside of the EEA. There is also a separate set of SCCs adopted by the EU Commission for intra-EEA data transfers. However, in this blogpost, when referring to the term “SCCs”, those SCCs designated for the transfer of personal data to countries outside of the EEA are implied, unless stated otherwise.

To recall, the SCCs are one (and by far the most usable) of the mechanisms that could be relied on to legally transfer the personal data to data importers geographically located in a third country outside the EEA. See our blogpost to find out what “geographically in a third country” means in the context of international data transfers.

Being accompanied by the EU Commission Implementing Decision, the SCCs do not, however, elaborate much on how some of the data processing scenarios should be approached. In an attempt to answer frequently asked questions, on 25 May 2022, the EU Commission published “Questions and Answers” (Q&A) in respect of the SCCs. However, as can be seen from the examples below, many burning issues still have not been sorted out, thus creating uncertainty about how SCCs should be used in particular scenarios. In this blogpost, DPOrganizer will walk you through three of them that appear to be the most intriguing.

1) Distribution of multiple importers across adequate and non-adequate countries.

Surprisingly enough, neither of the EU Commission’s documents address the issue of how to properly conclude the SCCs when there are several data importers in the data processing chain distributed across adequate and non-adequate countries.

Let’s take a look at the following examples of data transfer schemes.

Example 1. Controller (EU-based) → Processor (non-adequate country) → Sub-processor (adequate country).

At the first stage, Controller and Processor conclude SCCs between the two of them. However, it remains unclear what should be signed between Processor and Sub-processor (that is geographically in a country that is considered by the EU Commission as providing adequate protection, hereinafter – adequate country).

From Articles 8.8 (Module Three) and 16(e) of the SCCs, it is clear that Sub-processor in an adequate country is not required to agree to be bound by the SCCs. On top of that, it would be illogical to put on it the same obligations as for those importers located in non-adequate countries. Further, Article 16(e) of the SCCs says that “either party may revoke its agreement to be bound by” the SCCs in case the EU Commission adopts an adequacy decision. Given the above considerations, entering into the SCCs with Sub-processor from an adequate country will unlikely be a viable option.

Thus, in this scenario, it would be more appropriate to conclude between Processor and Sub-processor a data processing agreement that would be in alignment with the GDPR Article 28(3) requirements. For that purpose, a separate set of SCCs adopted by the EU Commission for intra-EEA data transfers may also be used.

Example 2. Controller (EU-based) → Processor (adequate country) → Sub-processor (non-adequate country).

In this scenario, as long as Processor is in an adequate country, it is just enough to put in place the GDPR Article 28(3) agreement between Controller and Processor. A separate set of SCCs adopted by the EU Commission for intra-EEA data transfers may also be used.

The issue is how Processor should perform data transfer to Sub-processor in a non-adequate country. The imposition of obligations as set out in the agreement mentioned in the previous paragraph would be an improper option as this agreement does not intend to cover data transfers to non-adequate countries.

The SCCs (Module Three) concluded between Processor and Sub-Processor might seem to be a viable option. The issue is, however, that the EDPB says the data exporter (in this case – Processor) should be subject to the GDPR as per Article 3 for an international data transfer to exist (see our blogpost about the notion of international data transfer). However, this might not be the case. Where this criterion is not met, there is no international data transfer, if to formally follow the EDPB’s logic, thus making the SCCs (and other data transfer tools) unnecessary.

However, it should be noted that, despite this formal misalignment, the personal data is still transferred to an organisation in a non-adequate country. With this in mind, it is still highly recommended for Processor and Sub-Processor to enter into the SCCs (Module Three).

At the same time, collisions like those described above, still remain unsolved in either the EDPB’s or the EU Commission’s documentation.

2) When the data importer is subject to the GDPR Article 3(2).

Under the GDPR Article 46(2), the SCCs have absolutely the same ‘power’ compared to the other data transfer tools mentioned. And when it comes to the notion of international data transfer (see our blogpost to learn more) neither the GDPR itself nor the EDPB make any difference depending on whether or not the data importer itself is subject to the GDPR pursuant to Article 3(2): it still would be an international data transfer that might be governed, as the case may be, by the SCCs.

However, that is not the approach that the EU Commission seems to take. In the EU Commission Implementing Decision on SCCs, Recital 7 sets forth that the SCCs may not be used when the processing by the data importer falls within the scope of the GDPR, i.e., when the data importer is subject to the GDPR pursuant to Article 3(2). At that time, some privacy practitioners concluded that SCCs still may be concluded in this scenario, since recitals are not binding by their nature and, thus, Recital 7 may be ignored.

However, in Q&A, the EU Commission restated its opinion and pointed out that the SCCs may not be concluded if the data importer is subject to the GDPR pursuant to Article 3(2). As the EU Commission explained, the SCCs would otherwise “duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR”.

That said, the EU Commission, unfortunately, left privacy practitioners with two unanswered questions: 1) how to proceed until the additional set of SCCs for this scenario is developed; 2) what would be legal implications if the parties, despite the prohibition, will still conclude the SCCs and perform an international data transfer on their basis? These issues become even more intriguing, given that the EU Commission’s approach is in a clear misalignment with the EDPB’s opinion and the GDPR rules themselves.

At the time of writing, DPOrganizer is not aware of any practical cases where, due to the EU Commission’s position, the SCCs concluded with the data importer subject to the GDPR have been declared invalid.

3) Risk-based approach to international data transfers

The GDPR adopts a risk-based approach to data processing, meaning that the data controller should evaluate the likelihood and the severity of the risk to the data subject, depending on the nature, scope, context and purposes of the processing (Recitals 74, 76). Risks should be evaluated when choosing technical and organisational security measures, when conducting DPIA, when deciding on whether or not the data breach is reportable, etc.

However, it looks like it is not the case when it comes to international data transfers. The approach of the EDPB’s Recommendations 01/2020 may leave dual interpretations as to whether or not even a theoretical possibility to unjustifiably interfere with the fundamental rights to privacy and data protection is enough to declare the transfer illegal. At the same time, a ‘zero-risk’ approach was supported by France’s supervisory authority (CNIL) saying that, when transferring personal data to a third country, every possibility of unlawful access to personal data must be eliminated, and Austria’s supervisory authority also thinks in the same vein.

The SCCs themselves contain some provisions in respect of the assessment of local laws of third countries and of access by local public authorities (see Articles 14, 15). Those, however, do not elaborate much on the possibility of a risk-based approach.

Due to the clear controversy, it was expected that this issue would be touched on in the EU Commission’s “Questions and Answers”. However, it did not happen. And, as of today, to be on the safe side, it is recommended to proceed from the fact that every possibility of improper access to personal data by the public authorities of third countries should be eliminated. This should be taken into account when conducting an impact assessment of the transfer of personal data to a third country.

***

As the EU Commission states, Q&A are considered a ‘dynamic’ source of information’ updated from time to time. Hopefully, the issues outlined above will be addressed in the future to make the usage of the SCCs more straightforward in different processing scenarios.