On 4 June, the European Commission published new GDPR Standard Contractual Clauses (SCCs). There were actually two sets - the "Standard Contractual Clauses for data transfers between EU and non-EU countries" (Transfer SCCs) to legitimise the export of personal data, and "Standard contractual clauses for controllers and processors in the EU/EEA" (Processor SCCs), which reflect the provisions of Article 28 of GDPR which sets out the contractual provisions that must be in place between a controller and a processor. The new SCCs have understandably been the focus of much commentary, including our initial reactions podcast where Mishcon de Reya Partners Adam Rose and Ashley Winton gave their immediate expert commentary. One thing raised in the podcast, which seems to have escaped the attention of some, appears to be of potentially major significance– according to recital 7 to the decision which brings the Transfer SCCs into effect (known as the Implementing Decision), the Transfer SCCs are not appropriate to use when the recipient is itself subject to the GDPR. This possibility arises where the recipient is subject to the GDPR's extra-territorial provisions in Article 3. In passing, this also provides some vindication for the UK's Information Commissioner's Office which, for some time, has stated its view that a transfer of personal data to a recipient which is subject to the extra-territorial provisions of GDPR (and now, UK GDPR) is not a "restricted transfer" requiring particular measures to be put in place.
The previous version of the SCCs provided a framework for the international transfer of personal data from the EEA to recipients in third countries (or, at least, to those countries on which the European Commission has not yet conferred an "adequacy" decision).
However, the Transfer SCCs are not a direct replacement. Recital 7 to the Implementing Decision, says that the Transfer SCCs:
may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of [GDPR]
The significance of that recital 7 is that processing by importers who are not established in the EU, but where the processing activities are (i) made in the context of the activities of an establishment in the EU; or (ii) related to the offering of goods and services to, or the monitoring of the behaviour of, data subjects in the EU, will fall within GDPR's scope. Therefore, as a result of recital 7, the Transfer SCCs need not (in fact, may not) be used to effect transfers from the EU to those importers. The appointment of a processor where the processing activities are caught by Article 3(2) of GDPR will instead need to be subject to the Processor SCCs, rather than the Transfer SCCs.
What is important to note is that the territorial scope provisions of Article 3 GDPR talk about processing being in scope of the GDPR, not about whether the entity which is doing the processing is within scope. This is a point the European Data Protection Board has previously made: "the application of Article 3 aims at determining whether a particular processing activity, rather than a person (legal or natural), falls within the scope of the GDPR. Consequently, certain processing of personal data by a controller or processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not, depending on the processing activity".
Consider the following scenario: a French company is subject to GDPR (under Article 3(1)), and offers goods and services to data subjects in the EU, but it uses a US company as a processor (say, for customer payment processing). In those circumstances, the processing activities by the US processor are "related to" the offering of goods and services (by the French controller) to data subjects in the EU (and so Article 3(2)(a) applies to those processing activities). However, as a result of recital 7, the transfer of personal data from the French controller to the US processor will not be subject to the new Transfer SCCs, because the processing by that importer falls within GDPR's scope. However, it will, as noted above, be subject to the Processor SCCs. But what if that French company also engages the very same US company to process data as a controller, and not as a processor? In those circumstances, neither the Transfer SCCs nor the Processor SCCs apply.
However, recital 7 goes further, in that it says that the Transfer SCCs may be used for:
the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.
So if the recipient, the US processor, is subject to the GDPR because the processing activities are related to the offering of goods and services to, or the monitoring of the behaviour of, data subjects in the EU, and so fall within GDPR's scope, then the Transfer SCCs are to be used for any "onward transfer" i.e. any transfer from the US processor to any third party not in the EU. The details here, can be found in clause 8.7 of Module One in the Transfer SCCs.
And just to add an extra complication, the UK GDPR also has its own Article 3 territorial scope provisions. The Information Commissioner's Office has said it intends to consult on a UK version of SCCs "this summer". It isn’t yet clear if the ICO will adopt both a UK version of the Transfer SCCs and (what we should probably call) Article 28 SCCs.
There seems the potential, unfortunately, for a very complex contractual situation for some organisations who might, for instance, move data between the EU, the UK and third countries. The impact on outsourcing, in particular, is clear – and complex. In fact, most businesses are engaged, to some degree or other, in using third parties to undertake processing for them, both in-country and abroad. The SCCs, whilst enabling international data transfers to take place in an authorised manner, are also adding a layer of complexity that companies will need to get to grips with quickly.