Standard contractual clauses challenged by GDPR and scrutinized by CJEU

The EU Standard contractual clauses (“SCCs”) have been the most frequently used means for data transfers outside the EU. Under the EU General Data Protection Regulation 2016/679 (“GDPR”), which comes into effect in May this year, the SCCs provide for “appropriate safeguards” validating transfer of personal data to a third country or an international organisation.

However, the SCCs currently covering controller-to-processor (C2P) data transfers do not meet all GDPR requirements for a lawful transfer. The clauses, adopted by the European Commission in 2010, need to be amended – although it is less than clear at this point who should amend them, whether the European Commission or the controllers and processors themselves when they draft particular controller to processor contract.

In contrast to its predecessor (Data Protection Directive 95/46/EC), the GDPR sets forth numerous data processor’s obligations which must be stipulated in a contract with the controller or in “other legal act under Union or Member State law” (Article 28). GDPR authorizes the European Commission and supervisory authorities (i.e. EU member states’ data protection authorities) to lay down standard contractual clauses to meet these requirements. To our knowledge, none of them has come up with a draft of amended SCCs to date.

Affected companies might be best placed to amend (or, rather, append) their agreements incorporating the SCCs so to be fully compliant with the GDPR. The companies would have to tackle a series of requirements, all stemming from GDPR Article 28 and not addressed in the current C2P SCCs:

  1. Duration of processing. According to the GDPR (Art. 28.3) the description of processing must contain the following information: (i) the subject-matter of the processing; (ii) the duration of the processing; (iii) the nature and purpose of the processing; (iv) the type of personal data to be processed; (v) the categories of data subjects; and (vi) the obligations and rights of the data controller. At the moment the SCCs do not contain the information under (ii);
  2. Onward transfer of the data outside the EEA without the data controller’s permission. The SCCs do not regulate the situation when the data processor aims to further transfer the data outside the EEA. Under the GDPR Article 28.3, in case of such onward transfer the data processor must inform and ask for permission from the data controller;
  3. Confidentiality provision. The SCCs in the current form do not include a provision obliging the data processor to ensure that its personnel authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  4. Data processor’s obligation to assist the data controller who has to respond to data subject’s requests. In their current form the SCCs in clauses 5(d)(iii) and 5(e) prescribe only that the data processor must notify the data controller of the data subject’s request. GDPR, however, require that the data processor cooperate with the data controller in responding to the requests by data subjects when they exercise their rights under the Regulation;
  5. The obligation of the data processor to cooperate in a data protection impact assessment (DPIA) conducted by the data controller. Under the Data Protection Directive there is no obligation for the data controller to conduct a DPIA, so the SCCs do not regulate cooperation between the controller and the processor in that regard. The companies should introduce in the SCCs the new processor’s obligation to assist the data controller in the event the controller initiates a DPIA;
  6. The data processor’s obligation to assist the data controller in case of a data breach. The data controllers have to include in their agreements with data processors a provision on the obligation of the data processor to notify the data controller without undue delay after becoming aware of a data breach and to assist the controller in the investigation and notification to the supervisory authority and data subjects; and
  7. Requirements concerning the audit. Although the SCCs currently specify, in clauses 5(f) and 12(2), that the data controller may inspect the processor for compliance with the requirements of the clauses, the audit provision still does not meet the requirements enshrined in the GDPR. Specifically, the data processor has to contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Even if the companies append the above contents to the text of the current C2P SCCs, or the European Commission amends the clauses, the SCCs’ destiny remains uncertain. This is because the Court of Justice of the European Union (“CJEU”) is to decide on whether EU residents’ personal data are sufficiently protected when transferred to the United States – and perhaps even more broadly, to any third country –  using this instrument.

Back in October 2015, the CJEU invalidated in the famous Schrems decision the Safe Harbor scheme, which up to that point served as the chief legal instrument for transfer of personal data from Europe to the United States. In the aftermath of that judgment, on 16 December 2016 the European Commission published two decisions, changing its previous decisions on SCCs and adequacy decisions on third countries. The European Commission wanted to minimise the risk of the earlier decisions being invalidated by the CJEU for the same reasons as that for which the Safe Harbor was struck down. To that effect, the EU Implementing Decision 2016/2297 modified the decisions on controller-to-controller and controller-to-processor SCCs by strengthening the right of the DPA to oversee data flows, including their power to suspend or ban a transfer of personal data in case the transfer is carried out in violation of EU or national data protection law.

Max Schrems, who initiated the proceedings that resulted in the demise of the Safe Harbor, has also filed a complaint to the Irish Data Protection Commissioner (“DPC”) requesting that the DPC declare that the SCCs – both the controller to processor and controller to controller ones – do not provide sufficient protection when personal data are transferred outside the EU to the US. The DPC’s preliminary decision in May 2016 stated that the case was well founded and the DPC commenced proceedings before the Irish High Court.

In its 153-page judgment, the High Court found that the DPC had raised well-founded concerns about the SCCs’ validity and decided to refer the question to the CJEU. The High Court agreed with the concerns of the DPC regarding the incompatibility of US surveillance practices with EU law and the absence of an effective remedy before an independent tribunal as guaranteed by Article 47 of the EU Charter of Fundamental Rights. Therefore, the court decided to refer the case to the CJEU under a preliminary ruling procedure.

The High Court is yet to draft questions for the CJEU to answer. If the question is framed broadly, so to concern validity of the SCCs as an instrument for a transfer to any country and not only the US, the implications are potentially even more significant than when the CJEU invalidated the Safe Harbor in 2015. No less than 89 per cent of EU companies rely upon the SCCs (controller to processor, or controller to controller) when transferring data to the US or other non-EU country. For the time being the SCCs remain a valid basis for the transfers abroad, but perhaps in around two years from now – when the CJEU carries out a thorough scrutiny of the SCCs’ adequacy and renders a decision – companies will have to rethink their data flows and turn to some other instrument to back up their overseas transfers.