This summer - about a year after the well-known Schrems II ruling of the Court of Justice of the European Union (Court) - there have been some relevant developments again in the field of international transfers of personal data.(1) For example, on June 4, 2021, the European Commission (EC) published its final new model contracts.(2) In addition, on June 18, 2021, the European Data Protection Board (EDPB) published its final recommendations on post-Schrems II personal data transfers.(3) Finally, on June 28, 2021, the EC also issued an adequacy decision with respect to the United Kingdom. In this contribution, I briefly discuss the published final new model contracts. In a later contribution, I will also discuss final recommendations of the EDPB and the adequacy decision with respect to the United Kingdom.(4)
On July 4, 2021, the EC adopted two model contracts for the processing and international transfer of personal data in accordance with the AVG:
Model contracts providing appropriate safeguards for transfers of personal data outside the European Economic Area(EEA), so-called third countries, in respect of which the EC has not adopted an adequacy decision (hereinafter: the Model Contracts)(5); and
Model contracts for the protection of personal data in the context of the relationship between the controller and the processor (located both inside and outside the EEA) (hereinafter: the Model Processor Agreement).(6)
The Model Contracts and the Model Processor Agreement aim to provide companies with all the contractual tools they need when processing personal data. In this contribution, I only discuss the Model Contracts for international data transfers. The Model Processor Agreement is therefore beyond the scope of this contribution.
There are several reasons why new Model Contracts were needed. First, the previous Model Contracts were outdated. They had been drafted after the Data Protection Directive introduced in 1998, and had not yet been adapted to the AVG, for example. Second, cross-border data processing and transfers have become increasingly complex since the original Model Contracts were drafted. The increase in the volume, speed and variety of data transfers was not foreseen at the time. Finally, the Schrems II ruling also necessitated adaptation of the Model Contracts. Indeed, in the Schrems II ruling, the Court pointed out the need for additional safeguards and analysis in cross-border data transfers. These points have been clearly addressed in the new Model Contracts. Below, we will first discuss the content and structure of the new Model Contracts. In addition, we will answer a frequently asked question, "is the use of the new Model Contracts sufficient to comply with the Schrems II ruling?"
The new Model Contracts contain significant changes that attempt to address scenarios not previously captured under the Model Contracts.
Modular
The new Model Contracts have a modular structure. The Model Contracts are written as one contract, consisting of three types of provisions: (i) fixed clauses, which are intended to remain unchanged regardless of the parties; (ii) modules, which are intended to be added/removed to the final contract, depending on the parties (as further described below); and (iii) blank clauses and attachments, which are to be filled in and completed by the parties with relevant information (also further described below). In other words, only some of the model contract provisions apply to all data transfers. For the remaining model contract clauses, the applicable module can be chosen:
Module 1: transfers between two controllers;
Module 2: Transfer from a controller to a processor;
Module 3: transfers between two processors; and
Module 4: Transfer from a processor to a controller.
In this respect, the new Model Contracts are a huge improvement for practitioners over their predecessors, which did not consider transfers between two processors and transfers from a processor to a controller. In addition to these modules, the new Model Contracts have three annexes in which information specific to the processing must be filled in:
Annex 1: Description of transfers
This annex contains a description of the parties, a description of the transfers, and a description of the competent supervisory authority. Notable is the requirement that when the data importer transfers data to sub-processors, the object, nature and duration of those transfers to sub-processors must also be specified. Thus, the exporting party is also notified about this (in line with the EDPB recommendations).
Annex 2: Security measures
Annex 2 should describe the technical and organizational security measures taken to protect the transferred data.
Appendix 3: Subprocessors
Appendix 3 contains a list where specific subprocessors can be specified that the exporter has authorized. If the data importer is instead given a general authorization to engage subprocessors, this appendix is not necessary.
Simply put, parties thus supplement the mandatory provisions with i) the provisions from the relevant module and with ii) the appropriate description in the annexes.
More Parties and Docking Provision
The Model Contracts can be signed by multiple parties (which can be useful for, for example, intra-group transfers). The Docking provision also provides that new parties can be added to the Fashion Contract over time.(7) This is a practical improvement over the old Model Contracts.
Geographic scope
Because of the way the old Model Contracts were drafted, under those Model Contracts the data exporter could only be an EEA-based party. This created problems when a data exporter was based outside the EEA but was still covered by the AVG by virtue of the extraterritorial scope of the AVG.(8) This shortcoming has been remedied by the new Model Contracts. The new Model Contracts can also be used by a data exporter located outside the EEA who is covered by the AVG under the extraterritorial scope of the AVG.
In Schrems II, the Court considered (in brief) that model contracts must provide a level of protection that is broadly equivalent ("essentialy equivalent") to the level of protection within the EEA. The assessment of this level of protection must take into account, inter alia, the relevant aspects of the legal system of the third country to which the data goes. In other words, even when the (old) model contracts are concluded, a 'transfer impact assessment' (also called 'transfer impact assessment') must be made. The EDPB draft recommendations - which I discussed in an earlier post discussed - on the transfers of personal data after Schrems II also already addressed making this assessment. An important question is how the new Model Contracts relate to the Schrems II ruling and the EDPB draft recommendations on the transfers of personal data.
An entire section in the new Model Contracts is devoted to the Schrems II requirements.(9) These provisions are relevant to all four modules. Thus, the EC has supplemented the new Model Contracts with a number of specific measures in case the data importer cannot comply with the new Model Contracts due to the legislation the relevant country. Here, the EC has adopted a risk-based approach, effectively ensuring that certain countries are not excluded from data transfers in advance (such as the United States(US), which the Court was very critical of in the Schrems II case).
Importantly, the parties must guarantee that they "have no reason to believe" that the laws of the receiving country will have the effect of preventing the data importer from complying with the Model Contracts.(10) In providing this guarantee, the parties must "take due account" of the "specific circumstances of the transfer," the "laws and practices of the third country of destination," and "any relevant contractual, technical or organizational safeguards."(11) The footnote to this provision indicates that "experience with previous disclosure requests from public authorities, or the absence of such requests" may be taken into account in such an assessment. In practice, this will mean that if an organization can demonstrate that it never or rarely receives such requests, it will categorize the assessment as low risk. This is likely to be common in practice. It is important to remember that this risk assessment must be documented and made available to the appropriate supervisory authority upon request.(12)
Finally, data importers commit by signing the new Model Contracts:
Notify the data exporter if the data importer has reason to believe that it cannot meet the requirements of the new Model Contracts, in which case take additional measures to address the situation or, if that is not possible, suspend the transfer(13);
Notify the data exporter and the data subject when the data importer receives legally binding requests from government agencies (including the legal basis on which the request is made)(14);
Inform the data exporter at regular intervals during the term of the agreement of the requests received(15);
challenge a legally binding request and use any available appeal process if data importer has reasonable grounds to believe that such request is unlawful. Also, in complying with such requests, the data importer must demonstrate that steps have been taken to minimize the personal data to provide the minimum amount of personal data necessary to satisfy the request.(16)
In addition to the novelties discussed above, the new Model Contracts strengthen data subjects' rights. For example, what is new is that data subjects must have a means of contacting foreign data controllers and be compensated for damages incurred in relation to their personal data. Also, the data importer must designate a contact point for data subjects, which must immediately handle complaints or requests. In the event of a dispute between the data importer and a data subject invoking their rights as a third-party beneficiary, the data subject may file a complaint with the competent supervisory authority or take the dispute to the competent courts in the EEA.
The new Model Contracts came into force 20 days after they were published in the Official Journal of the EU. This publication took place on June 7, 2021, which means they came into force on June 27, 2021. What is relevant for now is that the old Model Contracts will be repealed on September 27, 2021. After that date, the old Model Contracts can no longer be used. Once the old Model Contracts are repealed, the EC will allow an additional transition period of fifteen months (i.e., until December 27, 2022) during which the old Model Contracts will be acceptable for existing agreements, but all new agreements must use the new Model Contracts. By the end of that period, all new and existing contracts will require the new Model Contracts.
It took a while, but finally the new Model Contracts have been adopted. The task now is for every organization that bases its international transfers of personal data on Model Contracts to replace the old Model Contracts with the new Model Contracts before the end of 2022. This will logically take quite some time. It is therefore important to start this work early.
Footnotes
(1) Court of Justice of the European Union, July 16, 2020, ECLI:EU:C:2020:559 (Schrems II).
(2) https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en and https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32021D0915.
(3) https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.
(4) https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183.
(5) https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
(6) https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32021D0915.
(7) Provision 7 of the Model Contracts.
(8) Article 3(2) AVG.
(9) Section III.
(10) Provision 14 under A.
(11) Provision 14 under B.
(12) Provision 14 under D.
(13) Provision 14 under E and F.
(14) Provision 15.1.
(15) Provision 15.1. under C.
(16) Provision 15.2.
