Mishcon de Reya page structure
Site header
Main menu
Main content section

Initial Reactions: New Standard Contractual Clauses from the European Commission Heralds a New Dawn for Data Transfers

Posted on 4 June 2021

The Mishcon Academy Digital Sessions. Conversations on the legal topics affecting businesses and individuals today.

Adam Rose 
Hello this is Adam Rose, Data Partner at Mishcon de Reya and I welcome you to this, a Mishcon Academy Digital Session along with my Partner, Ashley Winton.  We have received today as you may all have seen the European Commission’s new documentation dealing with International data transfers and the appointment of processors and we thought it would be useful if the two of us had a little chat that we shared with you by way of this Mishcon Academy Digital Session podcast.  We are both contactable at our usual Mishcon addresses if you do have any better questions than I am able to ask or better answers than Ashley is able to give, but the way we are going to be conducting this session is I will generally be asking the questions, Ashley will generally be trying to give answers and we will both probably interrupt each other as we go through.  So hello and welcome and hello Ashley.  The background to these documents, really four documents have come out today; two background documents that say this is what we are doing and then the underlying documents, one of which is the one we are going to be paying particular attention to is effectively replacing the existing standard contractual clauses which you will all be familiar with, model clauses, standard contractual clauses, SCC’s, whatever you want to call them and we will come on to that in particular in a moment.  The other document I’ll just mention in passing because it’s actually I think quite a useful document is a document that gives effect to Article 28 of GDPR and sets out exactly the sorts of things that need to be in place between controllers and processors when controllers are appointing processors and that’s really focussed on processors generally who are within the European Union or subject to GDPR and for which in the past everyone has had to make up their own version so we now have a standard set under Article 28 (7) of GDPR and I don’t think we are going to spend too much time looking at that although we might flit backwards and forwards.  So Ashley, turning to you, do you want to give us some sort of general background on when these standard contractual clauses have been used, what their purpose has been and why now has this come out?

Ashley Winton
Adam certainly, well look this is a really interesting subject and it starts from then basic premise that when the European Union introduced data protection laws it was quickly realised that one way to get round the laws as it were, was that you could send the data out of European to some data wild west like America where it would be processed there and the data would be returned and perhaps that process was not properly in compliance with the law.  So when the law in Europe was introduced back in 1995 there were these provisions which said that if you wanted to export personal data from Europe you had to put in place these additional requirements and of which the most popular one was to put in place a standard form contract that was published by the European Commission and that contract or contracts record the standard contractual clauses and it is that that’s been updated today.

Adam Rose
So when, when are these new things going to come into, into force?

Ashley Winton
So we’ve got the documents from the website, we are waiting for the publication of them in the official journal which should be fairly quick, 20 days after that is the start point and then you have 3 months to carry on using the old version standard contractual clauses and then you need to be on this new set from that point onwards.

Adam Rose 
That’s quite a big ask for companies who are used to dealing with International data transfers all over their, their businesses to get stuff in place?

Ashley Winton
Yeah it’s huge.  Now there is a bit of a saving grace and grandfather provisions in here which I will talk about in a second but you need to think about where you are going to use it.  So you might use it as part of your intra-group, so your business is partly located in Europe or the UK and partly outside.  So you can use them intra-group.  You might be a European business that has non-European suppliers so you buy cloud services from the US, you use them there or maybe you are an American company and you have European corporate customers and now you use them there.  So there are three circumstances that you use the standard contractual clauses, so they are extremely widely used.  If you are a multi-national I would be surprised if you don’t have many, many, many versions of these contracts in your business.

Adam Rose 
Obviously some companies will have done things properly and will have loads of them, some companies might have taken a bit of a chance and not put them, but this new set of documents is going to require quite a lot of work for companies to get their heads round and their acts together?

Ashley Winton
Well I am afraid so.  As a bit of secret I have been involved in the standard contractual clauses as have you Adam, for 20 plus years and truthfully when people have implemented them historically they have often done so quite badly, i.e. in the contractual documentation there wasn’t a perfect fit for how they were put in place and so it is not just going to be an exercise of finding the standard contract clauses in your business already, and just putting in place the new ones being published today.  The exercise really is understanding where your data flows are in your business and putting in place the version of the standard contractual clauses and now there’s four in this one published today, that best fits.

Adam Rose
I was going to jump in on that because, because what the European Commission has done is published what looks on the face of it to be a single document but really they have created a modular version of a contract, it’s all very modern of them but that in one place in sort of 30 odd pages I guess, in fact I’m 33 pages of text including a front cover, they’ve really built four contracts haven’t they?  They’ve built a controller to controller version, a controller to processor, a processor to processor and perhaps so surprisingly of all, a processor to controller version.  All of which on a fairly quick review are clearly similar but different and each of which will need its own understanding of who you are in that supply chain so as between me and you, I might be an EU controller and you might be a non-EU processor in relation to a whole bunch of data that we are transferring to each other but equally there might be other circumstances in our same relationship where you are a controller or a processor caught by EU law relevant to me and I’m the processor or controller and we need to put multiple copies, versions of the document in place with each other under this new set of arrangements.

Ashley Winton
That’s exactly right.  You can wear multiple hats, so you can be a processor and a controller for the same data but for different purposes and that often happens, in fact that happens more so now and so frankly this is a case where you need a sharp pencil, a damp towel and a darkened room because it will give you a headache to try and figure which of the four permutations you been given today could apply to your multi-national relationships.  I should also say it’s not been very helpful has it from the European Commission because what we had before was a standard form contract, you’d pull it off the website, it wasn’t terribly well drafted but it didn’t really matter, you’d fill in the boxes, fill in the appendix with the factual stuff, sign it, job done.  Not so now.  You need to pull this off the contract, build it like a bit of Lego for the various components to plug it together and generate your own version of which four contracts.

Adam Rose
But I guess that’s to some extent, it’s sort of unsurprising in light of the most recent Schrems case and whilst you and I have had a bit of a laugh about the fact that one… as soon as these were published there would be a Schrems III but just looking at Schrems II which was the decision of last summer of the European Court of Justice that did away with the privacy shield of if you are on this side of the Atlantic, the privacy shield, that also looked at standard contractual clauses, the old form and said you can’t just simply take them off the website, fill in some boxes and you’re done.  You actually had to look at who am I sending the data to and where are they and do I need to take special measures to make sure that they still work and I guess there is an inevitability following Schrems II that this was going to be a bit more complicated.  So this was always coming down the line because of GDPR replacing the old directive but they’ve had to do sort of two things in once I guess, they’ve had to both address GDPR coming in and therefore needing new standard contract clauses and the fact they’ve been these Schrems cases and I suppose trying to pre-empt the next Schrems case.

Ashley Winto
n
You’re right and I think many people were hoping that these new standard contractual clauses would somehow help the Schrems situation.  So as we know post-Schrems you are required to do a transfer assessment to understand better the laws in the country that you are transferring data to and then if the assessment doesn’t meet their required standards you are supposed to put in place supplemental measures, it’s not exactly certain what those should be but they can be contractual or practical technical and I guess we were hoping well maybe this new contract would fix that but no, you’ve still got to all those steps in addition to putting in place this new form of standard contractual clause contract.

Adam Rose
I said at the outset there are sort of on this Article 46 front, the sort of International data transfer front rather than the mere appointment of a processor which is the Article 28 document, on the Article 46 document there are two documents really; there’s 10 pages or 7/8 pages of a decision which is mostly recitals, the whereas this and the whereas that clauses and those run to some 25/26 statements of background and then you’ve got your 30 odd page document which is the standard contractual clauses themselves and I just want to turn to the, what’s called the ‘Implementing Decision’ that sets out the 20 or so where’s, the recitals and maybe we could just have a quick look at some of the provisions in there because they sort of tell the story that the contract then seeks to implement and I was going to jump in at recital 7, whereas 7 which says ‘the controller or processor may use the standard contractual clauses set out in the annex which is the agreement itself to provide appropriate safeguards within the meaning of Article 46 for the transfer of personal data to a processor or controller established in a third country’.  So we immediately hit there the separation in the world between those countries which are within the ambit of the European Union law or have had an adequacy decision and we are sitting here in the UK wondering, biting our nails to find out will we get an adequacy decision or not and then there is the rest of the world, the so called third countries and I don’t know if you Ashley wanted to say something about the scope of when these apply and when we think they might apply and when we think they might not apply?

Ashley Winton
Yeah so there is a very curious thing going on here and it really actually is a lesson to say that you should always read the guidance notes or this first bit rather than just leaping into the practical annexe because if we look at this clause 7, and you look at the middle of it, it intriguingly says, ‘the standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of the GDPR’.  So let’s just unpack that.  It is saying that if the company that you are sending the data to is subject to the GDPR then you don’t use the clauses.  So hang on, how can the person in the other country be subject to the GDPR.  But remember the GDPR has extra territorial effect so it can apply outside of Europe and inside the UK if either the processing outside is in the context of an organisation in Europe or that company outside of Europe is providing goods or services to data subjects, to individuals in Europe or the company outside is monitoring data subjects in Europe.

Adam Rose
So that’s Article 3 of GDPR, that one needs to be looking at which sets out those three alternative ways in which GDPR might catch you?

Ashley Winton
Yeah, now logically this makes sense.  If we go back to the very basis for all these standard contractual clause, remember I said it was where you were transferring into the wild west and they might do things that aren’t in compliance with European Law but look, now the GDPR has extra territorial effect actually there’s not so much of a wild west because the company that you are transferring the data to might already be subject to the GDPR and if that is true, why need all these extra clauses?  So it is a, it is an absolutely transformative change in the way that these contracts are used.

Adam Rose 
So just to give an example, can we just sort of create a storyline where we’ve got a, say a French controller appointing a Paraguayan processor which wishes to appoint a Greek sub-processor?  So you’ve got in my example there, you’ve got your French controller having to put in place the new form standard contract clauses with its Paraguayan processor and then what happens?  The Paraguayan processor can’t use these terms when transferring to its Greek sub-processor because the Greek sub-processor is within the European Union and therefore it’s a transfer only to the extent the processing does not fall within the scope of GDPR, it does fall within the scope of GDPR so you are left with a model clause standard contract clause for leg 1 and then you are left with GDPR and I guess Article 28 for step 2.

Ashley Winton
I think that’s right.  So, so that’s a good point.  So if ever we look at onward transfer and so remember this is jargon for where you, once you’ve made your first transfer out of Europe, you then want to make your second transfer and then that could either be to someone else, either again outside Europe or someone else inside Europe but your example Adam, it’s someone inside Europe and the rules say now and no further measures are required for data transfer at least, if that second onward leg is back into Europe.  And that’s actually quite sensible because the data is protected when it’s back in Europe and processed by a company that’s subject to the GDPR.

Adam Rose
Looking at that the rest of these recitals, I just wonder if there is any in particular that you would like to pick up rather than sort of running through recital by recital and having a little chat about it.  Are there other recitals or one other recital that you particularly want to draw people’s attention to?

Ashley Winton
Well actually I’ll tell you a little funny story about part of this that if you look at 10 onwards, they talk about, they envisage that you could have lots of people signing the same copy of the standard contractual clauses and that’s kind of funny because 20 years ago that’s exactly what we did.  We implemented these multi-party agreements where everybody would sign the first small bit of the agreement and then in the schedule of the agreement, we would have the different versions of the then standard contractual clauses and the agreement would say, ‘well if your transfer is controller to controller use the terms in appendix A and if its controller to processor, use terms in B.  So that was the method that we had historically and then there was a real sense that the Data Protection Authorities around Europe didn’t like it, remember that was of an era pre-GDPR where we notified these things to the Regulators and they said ‘no we don’t like it, it’s too… we don’t like these agreements, they look a bit like BCR’s’, and so the industry moved away from that to just sticking exactly to the standard contractual clauses as published by the Regulator but now the Commission have brought back the very thing that we were doing originally and we could have these contracts that everyone can sign.

Adam Rose 
It’s interesting because I am sort of wondering how it actually works, I get, I get to go back to my example, the French controller says to its Paraguayan processor, ‘I want you to do this with this data and I am going to send it over to you at this sort of level of regularity once a month or whatever and I want you to meet these SLA’s, Service Level Agreements and deal with it’ and yes you can appoint a sub-processor, the Greek company I mentioned earlier and that’s all okay and then somebody else comes along and says, actually I’d like to sign up to those same terms and I don’t know who that somebody would be but another processor or another sub-processor or whatever, they would accede under the terms of this using the language of this, they would accede to this document and they’d say yeah we’re also now bound by it and that’s all well in terms of the sort of the generality of this but they would fit in, say they’d use the controller to process a version, they would accede as another processor to the same set of terms and then you look at the appendix which has annexes, it will list the parties, you’ll add yourself in as another party and the description of the transfer, it would be the same so that’s all okay and then the Competent Supervisory Authority would have to be whoever it is said to be and then you come to 4 which is technical and organisational measures including technical and organisational measures to ensure the security of the data and presumably not everyone has exactly the same technical and organisational measures in place and yet you’re acceding to the document as if everything in the status quo of the document works and I am just struggling how annexe 2 is going to work in practice, I don’t think we need to spend any time discussing how it’s going to work in practice unless there is a blatantly obvious answer that I am, I’m totally missing but I… my immediate look at this is thinking I am not quite sure how, how that happens.  I can see how it roughly happens but I can’t see it exactly happens and acceding to a document is signing up to it as it is, not signing up to it with some different changes because then you are having to change everyone’s structure so it will be interesting to see how that plays out in reality.

Ashley Winton
I think that’s fine, you know, it’s not, I mean the Commission sometimes have a rather simplistic view about what happens in the real world because in the real world you will have different processors or sub-processors doing not the whole subject but part of it, various components and of course those as you say Adam, those sub-processors will have different security standards and it’s just not possible nor economic almost to force them to follow your security standards, they have their own standards which are perfectly adequate and so there will be variances in the supply chain, all this kind of processing and sub-processing of data and it’s just not clear how this multi-party approach is going to work in real life when different people do things in different ways, subject to different levels of security.

Adam Rose 
So I think we’ve sort of spoken quite broadly about how this is going to work and we’ve delved in and jumped into, into some of the detail as well.  I find it quite interesting looking at some of the actual language used and how that language differs from the prior version of standard contract clauses and how its addressing, sometimes addressing the way things have moved on, sometimes addressing things that they are just stuck with, I sort of think it was interesting there is not a section on obligations of the parties, it’s clause 8 of the new standard terms, it says ‘the data exporter warrants that it has used reasonable efforts to determine that the data importer is able through the implementation of appropriate technical and organisational measures to satisfy its obligations under these clauses’ and that’s sort of, that’s sort of looking at Schrems, it’s slightly watered down I think in fact from the current version that is to use reasonable efforts.  I don’t know if there are particular things that have jumped out to you from the body of the new form standard contract clauses and maybe we should sort of finish on any, any thoughts you have had there and close off this session but Ashley, any particular points, pointers, thoughts that you would want to share in relation to these new form standard contract clauses?

Ashley Winton
Yeah there are a couple of things.  So even in that section you were looking at, so here for a controller to controller transfers in 8.2 it says that the data importer as in the person receiving the data outside of Europe, has this obligation for transparency, it’s got to tell the data subjects certain things if they have not already been told by the exporter or otherwise they know about these things.  Well hang on a second how is the data importer going to know what the data subject has been told early in the customer journey and if they have not been told, it’s going to be liable so this clause on its own wouldn’t work and you and I, Adam as contract drafters will need to make sure that elsewhere we introduce language which protects the data importer in the case where the data subject has not received the required information from the exporter.

Adam Rose 
And on that, 8.2d is interesting because in 8.2d it says, ‘the paragraphs above are without prejudice to the obligations of the data exporter under Articles 13 and 14 of GDPR’.  Well Article 13 is your standard privacy notice, Article 14 is a privacy notice to be given by a person who has obtained your data other than from you.  In other words a processor for example and therefore you would have thought that an Article 14 obligation would fall on the data importer who hasn’t received the information directly from you rather than the data exporter who in the case of a controller transfer normally will have received the data directly from you but might itself have received it from another controller or from another processor so…

Ashley Winton
That’s right its funny isn’t it.  So the poor importer has two levels of obligation.  They have to comply with 14 as you say because they received the information indirect and they have got this additional obligation at 8.2.  So that’s a bit of a muddle.  That needs to be worked through.  In the small print, something else I would mention is onward transfer.  So onward transfer, remember we mentioned it before, is this business of the person who has received your data kind of pushing it on to another entity either in their country or another country and it happens a lot and the provisions have changed.  One really, really useful provision in the old standard contractual clauses was a provision which said you are allowed to onward transfer data on a kind of a notice and objection format and that is gone and so it is now consent only so if your business concerns onward transfer you’ve really got to scrutinise the provisions in these contracts really carefully.

Adam Rose 
Anything else Ashley that you think we should be raising.

Ashley Winton
Well let’s just go back to and we didn’t quite cover it, we will go back to the timing.

Adam Rose
Yes.

Ashley Winton
Which is I think what people need to worry about or be concerned about and then we’ll just chat about some practical things about what they should be doing or thinking about doing.

Adam Rose
Yeah.

Ashley Winton
Once they and we have all read these in a bit more detail.  So on timing we mentioned that the existing standard contractual clauses will go in about 3 months plus 20 days and a bit and then there is a 15 month period where you can continue to use the existing standard contractual clauses…

Adam Rose
And once that…

Ashley Winton
…the ones you’ve got today.

Adam Rose
...that’s found in Article 4 of the sort of the what you call the explanatory document and I called the sort of recitals documents.

Ashley Winton
Yes.

Adam Rose
It’s on page 8 right at the very end of that document that sort of accompanies and introduces the new standard contract clauses.  So that’s got the 15 months and it just says at the moment we don’t know when it is because it just says in yellow highlighter, please add date 15 months from the date in Article 4.2 and 4.3 and the date in Article 4.2 and 4.3 is the date that the existing standard contract clauses are repealed which is 3 months and 20 days after this is all published in the official journal which is a date we don’t yet know.

Ashley Winton
So in theory we’ve got 18 months haven’t we.

Adam Rose
Correct.

Ashley Winton
We’ve got the 3 months where we can carry on using, then this kind of 15 months, let’s call it the grandfathering period where you can continue to use…

Adam Rose
I think you can call it a grandmothering period as well now days or co-parenting.

Ashley Winton
Thank you for being politically correct there, thank you for that Adam.  But there is a kicker in recital 24 because look it says in 24, it says, if there is any changes to the way that you process your personal data and actually I think it also says, if you change your sub-processors, then the grandfathering no longer works and you need to adopt the new standard contractual clauses there.

Adam Rose
And I guess immediately if you are outside the 3 months there is no leeway given so you’ve got your 3 months to work out what’s going on.  You’ve then potentially got 15 months, you might kill that 15 months with a drop dead date because of the way life changes and business changes.

Ashley Winton
That’s right, so you can’t, it’s not a question of, of putting this on the back burner for 12 months and worrying about it in a years’ time, you need to start looking at it soon than that.

Adam Rose
So we are theoretically looking if you sort of say, just say it’s published in the official journal about now and you say let’s take 20 days, say you get to the 30 June, so you then get another 3 months which will take us to the 30 September and you get another 15 months which would take us to the end of 2022.  So you might look at it today and say we’ve… give or take we’ve got 19 months to get our act together.  The reality is actually much tighter than that.  The reality is for anything that’s new or vaguely new you are really having to deal with it now or at the moment, at the time and in then the long stop date is going to be the end of 2022 give or take a few days one way or the other.  So on a practical basis companies need to be getting their act together quickly.

Ashley Winton
And there is a lot to do, let’s think about the practical steps.  Step 1 is your data mapping. Now who knows, you may have done it with the GDPR, you may not have done it.

Adam Rose
And obviously nothing would have changed since 2018.

Ashley Winton
Well so you clearly have been keeping it up-to-date for the last 2 years or so or 3 years.

Adam Rose
3 years.

Ashley Winton
And it’s not, if not, thank you, 3 years, and if not you’ve got to go back and update that data transfer map, you know where you were putting things and on your map which you thought was extremely useful, you now need to amend it because you need to work out whether the companies you are sending data to are subject to the GDPR themselves or not.

Adam Rose
And what they are and are they controllers or processors?

Ashley Winton
What they are.  So it’s, you have to go back to that map, update it and amend it in this way.  That’s got to be step 1 or you are going to make no progress with this.  Step 2 you’ve got to find your commercial relationships.  Again this is either intra-group, that’s kind of easy to find right but the ones with your suppliers or ones with your customers, joint venture parties, other things included of course, you’ve got to find that, find that documentation which is a challenge in itself, find out what existing measures you are using, so you can be prepared to then update all of those contracts and there could be thousands that would need to be updated in light of these new standard contractual clauses.

Adam Rose
The challenge is there is no easy alternative to this, if you are going to be a compliant company, standard contractual clauses present a sort of relatively easy route and I only say relatively easy because binding corporate rules are possibly a better route but are a, sort of a for lots of companies, a much bigger exercise.  For some companies it’s probably a cheaper, quicker route to actually go down the binding corporate rules route rather than chasing around all these standard contract clauses but for big international companies they really do need to do some, some proper thinking as to, as to what they want to do now.

Ashley Winton
I am a huge fan of binding corporate rules and I really think that although you may have looked at them before and discarded them because you are worried about cost or timeline or complexity, I actually think that if you’ve done your GDPR exercise reasonably well, you are much further along the GDPR compliance process than you think and I secretly think when you come and do the maths and the analysis they could well be the cheaper option here.  It is certainly something to consider.

Adam Rose
Ashley thanks a lot for your time today and thank you to everyone who has listened in to this Mishcon Academy Digital Session.  Other sessions are available on our website and everyone is very welcome to download those, listen to those while you are going on your lockdown walk or whatever stage you are in in your own location.  Thanks everyone for listening in and see you all soon.

The Mishcon Academy Digital Sessions.  To access advice for businesses that is regularly updated, please visit Mishcon.com.

On 4 June 2021 the European Commission issued new standard contractual clauses (SCCs) for data transfers between EU and non-EU countries. These modernised SCCs will replace the previous three sets of SCCs that were adopted under Data Protection Directive 95/46.

In this 'Initial Reactions' session, Partners Adam Rose and Ashley Winton from the Data Protection team discuss their thoughts and analyse some of the key changes.

Commenting additionally on the new approach, Ashley Winton said:

"The risk of "Schrems III" is now on the boardroom agenda.  The prior cases brought by Max Schrems concerned the export of personal data out of the EU.  With the EU-UK adequacy decision in the balance, the reported wish for Privacy Shield version 2 to be announced in time for President Biden's visit and the new Standard Contractual Clauses announced today – focus needs to be turned to how companies are legitimising the export of their personal data from Europe.  The question is not just how this should be done, but what should they do if these mechanisms are challenged and overturned in the European Courts again."

This session was recorded on 4 June 2021. All information was correct at time of recording.

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else