What is the background?
C2P SCCs for contracts between controllers and their processors under Article 28 of the EU’s General Data Protection Regulation (EU) 2016/679 (EU GDPR) are a new development under the EU GDPR.
As is well known, Article 28(3) of the EU GDPR requires contracts to be entered into between controllers and their processors, covering certain minimum areas in their terms, and Article 28(4) of the EU GDPR requires the ‘flow down’ of those terms to any sub-processors engaged by the processor. By Article 28(7) of the EU GDPR, the European Commission is empowered to lay down SCCs to cover these controller-to-processor (C2P) contract matters. Further, Article 28(8) of the EU GDPR, empowers national supervisory authorities to adopt their own forms of SCCs to enable compliance with Article 28(3), subject to approval by the European Data Protection Board (EDPB). Some national forms of C2P SCCs have been adopted, e.g. in Denmark, and in the UK, the Information Commissioner’s Office (ICO) has even endorsed use of the Danish SCCs as being compliant with Article 28(3).
The Commission’s new SCCs aim to provide a form of C2P contract compliant with Article 28(3)–(4) of the EU GDPR, and also compliance with equivalent requirements under Regulation (EU) 2018/1725 on data protection by EU institutions (supervised by the European Data Protection Supervisor (EDPS)). The European Commission issued the C2P SCCs in draft form in late 2020, and the EDPB provided its opinion on the draft SCCs jointly with the EDPS in January 2021. The Commission Implementing Decision issuing the final version of these SCCs was finally published on 4 June 2021 and published in the Official Journal of the EU on 7 June 2021, so they can be used from 27 June 2021.
This analysis discusses only the EU GDPR version, but note that the C2P SCCs provide for alternative wording for SCCs under Regulation (EU) 2018/1725, so it will be necessary to select the correct option throughout when using these SCCs, and provide for governing law (on which the SCCs are silent).
What is the relationship between the C2P SCCs and the new SCCs for international transfers?
It is important to distinguish these new C2P SCCs from the new form of SCCs that may be used to provide appropriate safeguards for international transfers of personal data outside the EEA under Article 46 of the EU GDPR. The latter set has received the lion’s share of practitioner and public attention and, somewhat confusingly, was released at the same time as the Article 28 C2P set of SCCs, with both sets also being abbreviated to ‘SCCs’.
International transfers SCCs are now generally the only viable option for transfers to the USA and other non-‘adequate’ countries under the EU GDPR, except for transfers under binding corporate rules (BCRs), which very few companies have implemented, or unless one of a number of limited derogations applies. Recall that Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/17 (the Schrems II case), from July 2020, invalidated the EU-US Privacy Shield for transfers to the USA, and furthermore stated that transfers under international transfers SCCs would be valid only if the data is protected to an essentially equivalent standard as under the EU GDPR by using appropriate ‘supplementary measures’ designed to prevent access by authorities of the ‘third countries’ to which personal data is being transferred.
Therefore, except for transfers to the very few ‘adequate’ countries or under BCRs, generally organisations now have no choice but to use international transfers SCCs plus supplementary measures. The new international transfers SCCs aim to provide (at least where possible contractually) supplementary measures designed to address the issues raised in Schrems II, so it is likely that their use will ramp up. (For further information on the new international transfers SCCs, please see this blog and this webinar.)
However, in contrast, the C2P SCCs aim to provide a simple way for EU controllers to enter into contracts with processors that are compliant with Article 28(3)–(4) of the EU GDPR. Unlike with the international transfers SCCs which, in practice, many organisations now have little option but to use, it is not mandatory to use the C2P SCCs. Indeed, the Implementing Decision’s Recital 5 notes, in line with Article 28(6) of the EU GDPR, that parties are free to negotiate a contract containing the compulsory elements of Article 28(3)–(4) of the EU GDPR, or they may use, in whole or in part, the C2P SCCs, ie ‘pick and choose’ clauses as they wish.
One advantage of the C2P SCCs is that, as they were promulgated by the Commission under Article 28(7) of the EU GDPR via an approval procedure, including obtaining the EDPB’s opinion on the draft SCCs, regulators should be more willing to consider that a contract using or incorporating these SCCs complies with Article 28(3)–(4) of the EU GDPR.
The SCCs clauses cannot be modified if they are to be relied on as SCCs, but they can be included in a broader contract, and other clauses or additional safeguards for data subjects may be added provided they do not directly or indirectly contradict the SCCs or prejudice data subjects’ fundamental rights and freedoms (Clause 2(b) of the C2P SCCs). Indeed, the SCCs explicitly prevail over any conflicting related agreements (Clause 4 of the C2P SCCs). However, note that, while adherence to approved codes/certifications may be used as ‘an element’ to demonstrate compliance with the requirement for controllers to use only processors that provide ‘sufficient guarantees’ for EU GDPR compliance (Article 28(5)), strictly Article 28 of the EU GDPR itself does not state that use of the C2P SCCs will be deemed to demonstrate compliance with Article 28(3)– (4) of the EU GDPR—that is only implicit.
Can the new C2P SCCs be used for international transfers outside the EEA?
The new international transfers SCCs cover Article 28 of the EU GDPR provisions, and therefore can be used for compliance with both: (a) Articles 28(3–4) of the EU GDPR (for the minimum terms controllers must generally put in place with processors) and; (b) Article 46 of the EU GDPR (for the transfer of personal data to third countries outside the EEA).
However, the C2P SCCs do not cover Article 46 provisions and therefore cannot be used as SCCs for the transfer of personal data to third countries outside the EEA, as illustrated by the diagram below, and as stated by Clause 1(f) of the SCCs:
To what extent are the new C2P SCCs a useful additional resource for organisations?
The C2P SCCs largely ‘copy out’ the EU GDPR’s text, but in some areas impose broader and tighter restrictions on processors than EU GDPR itself does, e.g. explicit requirements to limit staff access to the personal data to what is ‘strictly’ necessary (a ‘best practice’ standard rarely met in real life), specific restrictions/additional safeguards for sensitive data, requiring certain third party beneficiary rights for controllers against any sub-processors, certain controller rights to suspend or terminate processing (decoupled from termination of the main services agreement), and an obligation to notify the controller of any non-compliance with the C2P SCCs regardless of materiality.
The processor must also assist with the controller’s notification to its regulator of any personal data breach ‘concerning data processed by the controller’, quite separately from any such breach concerning data processed by the processor.
Accordingly, as with the national SCCs to date, these C2P SCCs are not appropriate for business models such as cloud computing, because of cloud’s standardised, commoditised, pre-built multi- tenant, hyperscale, self-service nature, which is datatype-neutral and purpose-neutral—particularly with Infrastructure as a Service/Platform as a Service. As I have written previously, none of those issues is new. For example, a requirement to ‘return’ data on termination is unnecessary with cloud, as customers can download their data themselves in self-service fashion.
The C2P SCCs are much more ‘controller-friendly’ than the EU GDPR requires, so controllers are more likely to want to use these SCCs. In contrast, processors are likely to resist (eg the third party beneficiary rights required will be impossible to implement in many complex supply chain situations, notably cloud), and/or will want additional clauses to leaven the ‘gold-plating’ aspects of these SCCs, particularly to seek reimbursement of processors’ costs for complying with the various requests controllers are entitled to make. Such additional costs clauses ought to be considered a commercial matter, and therefore acceptable as not conflicting with the SCCs, provided the costs are reasonable and not set deliberately too high so as to deter controllers from making requests.
The C2P SCCs could be used as a reference point to the extent they represent the Commission’s highest common denominator, ‘gold standard’, views of what Article 28(3)–(4) contract terms should contain. However, bear in mind that they are not mandatory, so organisations can, and should, consider these SCCs alongside any relevant national SCCs and the relevant business model, and decide which if any clauses are appropriate in the particular circumstances, adapting them as needed to suit those circumstances, e.g. for cloud computing.
As the C2P SCCs go beyond the EU GDPR’s requirements in favouring controllers over processors, it seems unlikely that cloud providers’ standard terms will change very much, although some providers could use or incorporate some elements to tout their privacy-protectiveness.
One potentially helpful aspect of these SCCs is an optional ‘docking clause’ (Clause 5 of the Implementing Decision), enabling a new party, with existing parties’ agreement, to accede to the SCCs subsequently (as from its signing date), by completing the Annexes and signing. The C2P SCCs do otherwise include a few aspects that are more business-friendly (and even processor-friendly, e.g. ‘In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor’), but those aspects could be incorporated into the parties’ own contract without necessarily incorporating or using these SCCs in full.
What are the implications for organisations in the UK and can the new C2P SCCs be adapted for use under the UK GDPR?
Turning to the UK position, these SCCs were adopted after the end of the Brexit transition period, so strictly, UK organisations cannot use them to ensure compliance with the United Kingdom General Data Protection, Retained Regulation (EU) 2016/679 (UK GDPR), unless and until they are formally adopted (no doubt in the same or similar form) under the UK Data Protection Act 2018 for use in the UK.
However, in practice, as Article 28 of the GDPR currently remains unchanged under both EU and UK GDPR post-Brexit, and the SCCs were designed for Article 28 compliance, it seems unlikely that the ICO would rule the use of these SCCs as non-compliant, if UK organisations choose to use these SCCs or specific clauses from them and made appropriate amendments for the UK GDPR (eg to change the references to ‘Union or Member State law’ in the C2P SCCs to refer to laws of the UK and its parts where appropriate).
How much impact are the new C2P SCCs likely to have on market practice?
In summary, these C2P SCCs may not change market practice much if at all, unlike the transfers SCCs which are likely to see widespread use in the near future.
They could simplify C2P contracting in very basic, straightforward, non-cloud circumstances, so some controllers may start putting them forward. However, processors would be well advised not to agree to these SCCs without seeking legal advice and insisting on additional terms to address the SCCs’ ‘gold-plating’ of EU GDPR requirements or, frankly, they would be better off just using other contract terms altogether.
A version of this analysis was first published on Lexis®PSL on 15 June 2021, interviewer Barbara Kozusnikova, and can be found here (subscription required).
Sign up to our email digest