The arrival of the new EU Standard Contractual Clauses (“EU SCCs”) for international transfers in June 2021 was widely awaited to better understand the new requirements to assess the third-country laws for government access to data prior to using the SCCs following the Court of Justice of the European Union’s (“CJEU”) decision on Schrems II. As a value add, the EU SCCs were updated to reflect the GDPR requirements and also enabled organisations to cover a wider range of data flows than their previous versions due to the addition of ‘processor-to-processor’ and ‘processor-to-controller’ scenarios. Binding Corporate Rules (“BCRs”), another transfer tool available under the EU General Data Protection Regulation (“GDPR”), have not yet been updated to reflect the same flexibility in reflecting the diversity of data flows and presently appear to be limited in use in comparison. It is expected that the European Data Protection Board (“EDPB”) will publish updated BCR requirements in 2022.
Both BCRs and EU SCCs are appropriate safeguards listed under the GDPR for transfers of personal data to third countries (Article 46). BCRs permit intra-group transfers of personal data from the EU members of the group to group members in third countries once BCRs are approved by a competent supervisory authority in the EU and the relevant group members adhere to the BCRs. BCRs mainly cover data flows:
(a) from internal controllers to controllers and processors within the group (Controller BCRs), e.g. to allow transfers of employee data within the group;
(b) from an external controller to processors within the group (Processor BCRs), e.g. to allow transfers to sub-processors within the same group and address global outsourcing arrangements.
The EU SCCs serve as a tool to transfer personal data from both a controller and a processor (external or internal). Modules 1 and 2 reflect the previously existing scenarios: ‘controller to controller’ (Module 1) and ‘controller to processor’ (Module 2). The new Module 3 addresses the new long-awaited scenario: ‘processor to (sub-)processor’. The new Module 4 covers transfers from ‘processor to controller’.
Many multinationals with BCRs engage third-party processors and BCRs do not cover such data flows with an external processor at the moment. The flexibility afforded by the EU SCCs means businesses with BCRs must turn to the EU SCCs to address data flows with third parties on top of their BCRs. For example, where (a) an EU-based controller with BCRs uses an external non-EU-based processor, or (b) a US-based processor that adheres to intra-group BCRs transfers data to an external third-party sub-processor; in both cases, they need to rely on other data transfer mechanisms, e.g. the EU SCCs.
Whilst the SCCs and BCRs are both appropriate safeguards for transfers of data to third countries that are meant to achieve the same purpose of ensuring enforceable data subject rights and effective legal remedies for data subjects, BCRs are presented as a higher standard for international transfers by companies with BCRs in place.
They may have a point for a number of reasons. BCRs are tailor-made for specific data flows within the group of companies rather than a pre-approved ‘out-of-the-box solution’. Businesses applying for BCRs must provide evidence that the internal data protection policies they put in place between adhering members of the group are “effectively” legally binding on such members of the group globally.
In addition, since 2018 data importers subject to Processor BCRs (but not subject to the GDPR) must maintain a record of processing activities, assist the controller with compliance with the GDPR principles, and commit to ensuring data protection by design and default[1]. These requirements are above and beyond the Article 28 requirements of the GDPR to processors and reflect the specific requirements of the GDPR in connection to BCRs (Article 47.2), which are not listed as contractual commitments of data importers under the EU SCCs. In this sense, the focus of the BCRs goes beyond merely the transfer itself and imposes the GDPR obligations on data importers for the entire data lifecycle (from the start of the processing to deletion).
This is not to say that the EU SCCs have not evolved. They are also no longer (like it was often the case in the past) just a simple add-on to any agreement. Data importers have to adjust their transfers to be in compliance with the requirements of the EU SCCs due to the new obligation requiring data importers to demonstrate compliance with the EU SCCs, including keeping appropriate documentation on the processing activities carried out under the EU SCCs. Processors also have to ensure accuracy of the data and inform if data is inaccurate or outdated without delay. These obligations are also going above and beyond the requirements of Article 28 of the GDPR.
Despite high standards of commitment required under the BCRs, the rate of approvals for BCRs (both controller and processor) has seen an increase in 2021 with 19 companies obtaining approvals compared to 8 in 2020 and just 1 in 2019.
Following the UK’s withdrawal from the EU, the process of getting BCRs approved has become more complex for multinationals operating throughout Europe. Holders of BCRs transferring personal data from both the United Kingdom (UK) and the EU now need to get two versions of BCRs approved. Their BCRs must be approved by both the competent supervisory authority in the EU and the UK’s Information Commissioner. This leads to additional cost and a lengthy approval process making BCRs less appealing. The approval process in the EU reportedly also may last several years given the limited capacities of some supervisory authorities. The BCRs cannot be relied on, unless they are approved.
So, given these complexities and the flexibility afforded by the new EU SCCs, the EU SCCs will likely end up being used more often, until the BCRs are updated to address the gaps. Also, companies that adjusted their processes to the EU SCCs may be reluctant to change the internal processes again after the BCRs are approved if BCRs take a long time for approval.
Another point to consider is that we may see the implementation of the new transfer tools, such as codes of conduct in 2022. Codes of conduct are listed as adequate safeguards under Article 46 GDPR. Controllers and processors in third countries that are not subject to the GDPR may adhere to a code of conduct, which has been (1) approved by a competent supervisory authority in the EU, and (2) has been granted general validity within the EEA by the EU Commission. Although the checklist provided in the EDPB guidelines on codes of conduct is very close to the checklist for BCRs, the code of conduct is open for adherence by entities that are not within the same group of companies. Codes of conduct have the potential of providing the necessary flexibility in covering a diversity of data flow scenarios, especially given they are expected to be prepared by trade associations or bodies representing an industry sector with the requisite knowledge of what is necessary for the business.
[1] Working document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP-257), revised and adopted on 6 February 2018.