Contributed by: Samvad Partners
1. Background
The last year has seen significant changes in the GDPR regime pertaining to international data transfers. The changes originated from a suit initiated by the activist Maximilian Schrems (“Schrems II”). This led to a cascading effect created by the decision of the European Court of Justice (“ECJ”) which invalidated the EU-US Privacy Shield, as a mode for cross-border transfers. The ECJ passed such a decision in light of the power of the US government to access personal data transferred from the European Economic Area (‘EEA’) to the US. The decision has not only impacted data transfers between the EEA and USA but also fundamentally changed the requirements for international data transfers from EU to any third country.
2. What are the SCCs and Why are they Relevant?
The GDPR lays down specific conditions for transfers of personal data to third countries. One of them is that there must be an EU Commission decision on the adequacy of the level of protection that the country in question ensures. In such cases, specific authorization will not then be required for such transfers.
If the country is deemed to have inadequate protection, Article 46 of the GDPR provides that appropriate safeguards would have to be implemented. This again, would not require any specific authorization from a supervisory authority. One of the safeguards envisaged is the ‘standard data protection clauses adopted by the European Commission.’ The legacy SCCs were adopted under Directive 95/46 and have been ratified by the European Commission in 2001 (amended in 2004) and in 2010. In practice, it is generally not permitted by law for the data exporter from the EEA to deviate from the SCCs or contract out of them.
3. Status of SCCs Post Schrems II
The ECJ has upheld the use of SCCs in principle. Current cross-border data transfer agreements executed through SCCs remain valid. However, there is now a much higher threshold for data transfers from the EEA to third countries deemed to have inadequate privacy protection.
4. Adoption of new SCCs
The European Commission adopted two new sets of SCCs on June 4, 2021. The first pertains to transfers between controllers and processors within the EU under Article 28 of the GDPR, which is entirely optional to adopt. The second set pertains to international data transfers, which is the focus of this article. It will be important for all Indian entities which are the recipient of transfers of personal data from the EEA, to take note of the requirements of the new SCCs and the obligations that come with it.
4.1 The revamp
The SCCs in relation to transfer of personal data to third countries were the need of the hour for broadly three main reasons –
(a) The legacy SCCs are in line with the obligations under Directive 95/46/EC (1995 Directive). However, when the GDPR came into effect in 2018, the SCCs had to be updated to adapt to the obligations under it.
(b) The Schrems II judgement questioned the reliability of the legacy SCCs.
(c) The legacy SCCs had various shortcomings, such as those related to data transfers involving multiple transfers, among others.
4.2 Transition period
The implementing decision of the European Commission of the new SCCs provides for a longer transition period to execute the new SCCs, which is as follows:
(a) New SCCs will come into force on and can be used from - 27 June 2021.
(b) Legacy SCCs will be repealed three months after the new SCCs come into force, on -27 September 2021 (“Repeal Date”)
(c) Legacy SCCs that were entered into before the Repeal Date would be valid for another 15 months, until - 27 December 2022.
Hence, organisations now have over 18 months to ensure a smooth transition.
5. Key changes and additions within the new SCCs
5.1 Scope
(a) Nature of the parties and agreement
Legacy SCCs: The legacy SCCs only catered to controller-to-controller transfers of personal data (“C-C”) and controller to processor transfers of personal data (“C-P”). With the advent of complex structures of modern outsourcing , several concerns surfaced due to such an approach since other types of processor-focused relationships were excluded.
New SCCs: The new SCCs aim to address the said gaps. The different kinds of transfers under the new SCCs are, (1) C-C, (2) C-P, (3) processor to processor transfers of personal data (“P-P”), and (4) processor to controller transfer of personal data (“P-C”).
These modules allow for a flexible approach to be adopted by different entities depending on the particular nature of the transfer. In addition, this allows for multi-partite agreements which are often present in data transfers.
(b) Territoriality of the parties
Legacy SCCs: The legacy SCCs envisioned the personal data transfer from a data exporter ‘established’ in the EEA to a data importer outside of the EEA. This created a considerable challenge for the exporting party who was not ‘established’ in the EEA yet was subject to GDPR (due to Article 3 of the GDPR). Article 3 of the GDPR applies GDPR obligations even to entities not ‘established’ in the EEA, if their activities include the processing of personal data of individuals in the EEA, in connection with offering goods or services to, or the monitoring of activity of those individuals. The legacy SCCs did not adequately address these extraterritorial applications.
New SCCs: The new SCCs broaden the territorial scope and explicitly state that the data exporter must be a party who is ‘subject’ to the GDPR. They also provide that the data importer in the third country must be a party who is ‘not subject’ to the GDPR. Recital 7 of the EC’s implementing decision of the new SCCs further clarify that the new SCCs may be used only to the extent that the processing by the data importer does not fall within the scope of the GDPR.
5.2 Docking clause
The new SCCs have been designed to ensure greater flexibility, as they provide for a ‘docking clause’. This clause enables the original signatories to add more parties to the SCCs in question over time.
5.3 Liability rules
Unlike the legacy SCCs, the new SCCs provide for a liability mechanism similar to the one under GDPR. The key obligations are, (1) Liability for any material or non-material damages; (2) Joint and several liability in applicable cases; (3) Entitlement to claim back damages from the counterparty.
5.4 Transfer impact assessment
Under the new SCCs, the data importer is obligated to conduct a transfer impact assessment in conjunction with the data controller. This consists of the following five broad steps- (1) Risk assessment, (2) warranty to the counterparty, (3) Documentation of the assessment, (4) Notification if future laws subject the data importer to any additional obligations, and (5) Remedying the situation if such laws override safeguards.
5.5 Governmental data access requests
Legacy SCCs: The legacy SCCs stipulated that, unless prohibited, the data importer must promptly inform the data exporter in case they receive a ‘legally binding request’ to disclose the personal data from a law enforcement agency.
New SCCs: The new SCCs encompass the following commitments on the part of the data importer – (1) Notification on legally binding access requests or attempts, (2) Information regarding the request, (3) Challenging the request based on a review of its legality and seeking interim measures, (4) Documenting the assessment, (5) Providing only the minimal amount of data necessary under local law.
5.6 Focus on cybersecurity
Legacy SCCs: Required a general list of technical and organisational measures.
New SCCs: The new SCCs take these cybersecurity obligations a few steps further. The new SCCs bring about two new changes:
(a) More specific and detailed list of technical and organizational measures particular to the transfer
(b) Obligations in relation to personal data breaches in relation the following three modules:
5.7 Onward data transfers
Unlike the legacy SCCs, the new SCCs provide for onward transfers, that is, the transfer of personal data by the data importer to a third party outside the EEA. The conditions for onward transfers are:
6. Impact of new SCCs on Indian entities and Ambiguities
Indian entities, either data controllers or processors, have typically executed SCCs with entities from the EU as a method to safeguard and legitimise the transfers.
The clarification regarding extraterritorial application will require Indian controllers or processors who are not covered by Article 3 of the GDPR to implement the safeguards required in the SCCs. However, there remains significant confusion regarding territorial application. Particularly, the situation is unclear as it relates to data importers who are already ‘subject’ to the GDPR. In the absence of further guidance from the EDPB, there may be difficulties in carving out the scope of contractual obligations with respect to activities of the data importer which are covered or not covered by the GDPR.
The modular structure of the new SCCs will offer a greater degree of flexibility to parties. It will allow for multi-partite agreements in the context of more complex transfers and where there are multiple entities. However, there remains a lack of clarity with respect to whether Data Processing Agreements pursuant to Article 28 of the GDPR would still be required, if all the obligations under the same are covered by the new SCCs. The cascading of obligations down the entire supply chain will require contracts to be executed at each stage within the transition period. The guidance is also unclear on the extent to which parties could negotiate around the SCCs, and what types of clauses would constitute a contradiction to the SCCs.
Indian entities which have executed SCCs with EEA entities will also need to note the extensive requirements pertaining to access requests from governmental authorities and transfer impact assessments. Given the powers of access and surveillance that governmental and law enforcement authorities in India have, there may be significant confusion with respect to reporting a disclosure request. The Indian government derives such powers from Section 69 of the Information Technology Act, 2000, the Intermediaries Guidelines, 2021, as well as under telephonic and internet communications’ surveillance laws such as the Indian Telegraph Act and Rules, The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009. The absence of a data protection law and independent supervisory authority increases the level of risk. Additional terms may have to be negotiated with EEA entities with respect to responses to disclosure requests, expenses to be shared by parties, and indemnification.
In addition, the obligation on the data importer to notify the supervisory authority on their own in cases where there is ‘risk’ or ‘high risk’ towards the freedoms and rights of data subjects, would also imply a continual obligation to assess the state of data protection law in India. This would necessarily result in a significant increase in compliance requirements.
Lastly, the EDPB Guidelines on Supplementary Measures categorically state that supplementary measures are to be implemented if it is determined that the law of the third country impinges on the effectiveness of the Article 46 transfer tool that the parties are relying upon. The EPDB has contemplated three types of supplementary measures: (i) technical measures, (ii) contractual measures, and (iii) organisational measures. Therefore, if the data exporter or EU supervisory authority deems that Indian law impinges on the effectiveness of the SCCs or that the power granted to public authorities to access the transferred data goes beyond what is necessary and proportionate in a democratic society, an Indian data importer may be required to implement these additional supplementary measures or suspend the transfer.
In conclusion, the requirements brought about by the new SCCs have increased the obligations of data importers and will require a consistent evaluation of national laws. While the new SCCs have clarified some amount of ambiguity that arose post Schrems II, further guidance is required from the European Commission regarding territorial application. Entities engaged in cross border transfers must review the new SCCs and begin to implement the necessary technical and organisational measures and assess where their risks and liabilities lie.
Contributed by Samvad Partners
The above article has been authored by Mr Rohan K George(Partner) and Ms Sriya Sridhar(Associate)