If your organization has peers based in the European Union (EU) and their relationship involves the transfer of personal data originating from that region, you should take note of the new set of standard contractual clauses (SCCs) adopted last June by the European Commission (EC). While you’re at it, you may also want to consider browsing the recommendations of the European Data Protection Board (EDPB) on possible supplemental measures relative to those SCCs.
For the uninitiated, an SCC is a contract designed to make sure there are appropriate data protection safeguards for international (personal) data transfers from the EU. Entities over there can include it in a wider contract they have with their counterparts outside the region. It’s one of several options available to them if they wish to keep doing such transfers in a manner consistent with the EU’s data protection rules.
The SCC mechanism has been around for a while, predating the EU’s General Data Protection Regulation (GDPR). The enactment of the GDPR, with all its new requirements, is actually one major reason why the old SCC templates had to be reviewed and amended. That, and two other factors.
The first has to do with our digital economy. Significant developments in the field made it necessary to modernize the SCCs. We now have more complex processing operations that involve multiple data exporters and importers, complicated processing chains, and evolving business relationships. As legal tools, it is crucial that SCCs reflect this reality and allow for a more flexible approach to data protection by way of contracts.
And then, there’s the aftermath of the Schrems II decision of the Court of Justice of the European Union. While that case is more famous for invalidating the EU-US Privacy Shield scheme, its other prominent consequence was to cast doubt on the effectiveness of SCCs. It is true that the court upheld their validity. At the same time, though, it also saw them as requiring significant improvements.
Hence, these new SCCs which now feature a number of changes, the more prominent of which include the following:
- They now combine general clauses with a modular approach that cater to different transfer scenarios and take into account the complexity of today’s processing chains. That means some provisions can be removed, depending on the type of data transfer in play.
- They now recognize processor-to-processor and processor-to-controller data transfers. The old templates only contemplated controller-to-controller and controller-to-processor data flows.
- They can now feature more than two entities as parties. On top of that, with the possibility of inserting a docking clause in a contract, additional controllers and processors are allowed to join or accede to an existing SCC for the duration of its term.
- Because of Schrems II, they now provide for specific safeguards that address the effects of third country (i.e., non-EU) laws and practices on the ability of data importers to comply with the SCCs. If they make compliance impossible, the transfer and processing of personal data must not push through. However, if compliance issues can be addressed by adopting supplemental measures, then the parties can agree to pursue that option.
- While the SCCs themselves still cannot be amended, parties are free and even encouraged to add other clauses or additional safeguards, as long as these do not contradict the SCCs, directly or indirectly, or prejudice the rights of data subjects.
What’s in it for PH companies?
Having dealt with an increasing number of SCCs these past few years, I see a couple of reasons why Philippine organizations should give them the attention they deserve.
An obvious one would be that it would allow them to review SCCs effectively when their EU counterparts insist on their execution. They should be aware what these SCCs look like, and ought to be able to distinguish provisions that are actually prescribed by the EC from those simply added by the other party. The latter may be made the subject of proper negotiations.
It also lets them identify and remedy gaps, particularly in instances where data transfers go both ways. SCCs will protect personal data exported out of the EU. They say nothing about personal data brought into the region, including the corresponding responsibilities and liabilities of the EU-based data importer and the Philippine company acting as data exporter in that scenario. Aggrieved data subjects who are Filipinos or Philippine residents may have some recourse against the domestic entity, but the latter will be at a disadvantage when going after the erring EU entity if it does not protect its interests properly with a complementary contract or provisions.
In my line of work, I have encountered EU organizations insisting that certain conditions found in their prepared contracts are required by the EC. Some argue that no provisions or safeguards can be added to SCCs, even if it’s just to extend the benefits of data protection to the data of both sides. Others would also have you believe that SCCs are meant to cover all types of data transfers, regardless of the site of origin. All of these, of course, are false. But the only way one would know that is if one were familiar with the SCCs, to begin with.
Like the SCCs, the EDPB recommendations are intended primarily to benefit EU organizations, and are particularly useful in situations where a data exporter is unsure about the ability of a prospective data importer to comply with the SCCs, given the legal system and practices in the latter’s country.
If, for instance, the data importer is located here in the Philippines, the EU data exporter could ask itself any number of questions, like: Can the Philippine government access the data with or without the data importer’s knowledge — if not through the data importer maybe through telecommunications providers or communication channels? Do EU-based data subjects have remedies against unlawful government access to their data? Is the National Privacy Commission a truly independent data protection authority?
If the data exporter believes that compliance with the SCCs is unlikely, it must not to move forward with the data transfer. On the other hand, it can also adopt supplementary measures if it believes this will overcome the compliance hurdle. Such measures may be contractual, technical, or organizational in nature. The data exporter is responsible for determining on a case-to-case basis what supplementary measures will be effective for a particular data transfer.
In the meantime, keep in mind that if your organization is party to an SCC based on the old template and such contract is executed on or before September 27 next month, the finalized agreement will only be considered as providing appropriate safeguards within the meaning of the GDPR until December 22, 2022. By September 28, use of the new SCCs will be mandatory. Also, if processing operations covered by an old SCC change or are subjected to deviations, the parties will have to draw up a new SCC that should be based already on the new templates.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to [email protected]