The New European Commission Decision on Standard Contractual Clauses: A System Reform?

Keywords: standard contractual clauses – Commission Implementing Decision - cross border data flows – personal data processing – data protection – controller and processor’s responsibility.
 

Standard contractual clauses (SCC) constitute one of the legal bases that under Regulation (EU) 679/2016 allow data transfer towards third countries in the absence of an adequacy decision.[1] In particular, SCC are contractual obligations agreed by an exporter established in a Member State and an importer established in a third country.

On 4 June 2021, the European Commission adopted the Implementing Decision 914/2021/EU on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 679/2016.[2] The new framework of model clauses provided by the Decision aims both at facilitating international data transfers and at ensuring appropriate data protection safeguards.[3] The evolution of an increasingly globalized market, in which cross border data flows are necessary for the expansion of international trade, has led to the creation of data transfers chains characterised by a plurality of controllers and processors, where the principal transfer is followed by a series of subsequent transfers and, therefore, processing.[4] The new Decision addresses some of the most critical issues of previous models of standard contractual clauses: the contractual gap caused by the lack of regulation concerning data transfers chains, together with the non-derogable nature of the clauses.

The Decision 914/2021/EU is followed by an annex, which provides different models of clauses depending on the subjects operating the transfer. It also includes an appendix with an explanatory note, and three more annexes, which must be filled by the subject operating the transfer with the required information.

One of the major innovations of Decision 914/2021/EU concerns the structure of the SCC. To adapt to different scenarios and to the growing complexity of modern processing data chains, general clauses are combined with a modular approach. In addition to general clauses, controllers and processors shall select the module that fits their situation, “so as to tailor their obligations under the standard contractual clauses to their role and responsibilities in relation to the data processing in question”.[5] Such structure mirrors the aim of the Decision to allow a variety of subjects to adhere to standard contractual clauses, enabling further controllers and processors – as importers and exporters – to access the system of model contractual clauses for the entire duration of the data processing. The ratio of the approach of the contractual scheme is to adapt model clauses to various operations that may take place between importer and exporter of data, depending on their role in the transfer.

A total of four models of contractual clauses is provided. As for previous Decisions,[6] they are dedicated to transfers of data taking place between an exporter established in the territory of the European Union and an importer established in a third country. The Decision grants, for a plurality of parties, the possibility to “adhere or accede to a single set of contractual clauses, potentially limiting the number of separate contracts companies must sign when onboarding new vendors or service providers”.[7] Moreover, in the fourth model, the Commission takes into consideration for the first time transfers occurring between processors and from a EU processor to a controller established in a third country. For this reason, the fourth model has received appreciation by the European Data Protection Board and by European Data Protection Supervisor.[8]

The overall structure of this new model raises some challenges. Indeed, the possibility of interfacing different contractual forms within the same general model is likely to generate some uncertainties in its practical application.

In more general terms, the new Commission Decision appears to suggest a significant shift in the scope of application of the SCC. Art. 1 of the Decision on the scope of application of the model clauses states that “[t]he standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 679/2016 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer)”.[9] This would mean that the clauses should be adopted only when Regulation (EU) 679/2016 is not directly applicable to the importer. As a consequence, the mechanisms to operate data transfers outside the European Union may not be necessary when data are transferred to a subject whose activities fall under art. 3(2) of Regulation (EU) 679/2016.[10] According to the European Data Protection Board, “the EDPB will also further asses the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V”.[11] Chapter V of the Regulation (EU) 679/2016 points out that the aim of personal data transfer mechanisms is to ensure an adequate level of protection of data. It therefore appears that such mechanisms should not be necessary when it is possible to directly apply EU data protection law.

While the new model of clauses provided by the Decision is surely able to update and redirect EU law in the light of new trade practices, it remains to be seen if the application of the clauses will, in practice, solve the critical issues raised by the previous systems of model clauses.