*Article originally posted on IAPP.org*
Privacy professionals around the world are feverishly working on configuring and implementing the European Union’s new Standard Contractual Clauses (“SCCs”). On September 27, 2021, companies in the European Economic Area (EEA) must not enter into new cross-border data transfer arrangements with companies in the United States and most other countries, unless the recipient outside the EEA agrees to the new SCCs (Elisabeth Dehareng, Francesca Gaudino and Brian Hengesbaugh, The road ahead in an uncertain world of cross-border data transfers, IAPP Advisor, June 2021). Any recipient that signs the new SCCs, promises that it has matching agreements in place with its own vendors (according to Clauses 8.8 and 9). Myriad businesses are affected, because every company has numerous affiliated and unaffiliated vendors and other business partners worldwide. All companies need to have the new SCCs in place by September 27, 2021 to remain open to business from the EEA.
To further complicate an already difficult situation, many other countries have issued requirements that businesses must impose similar and different contract clauses to protect personal data of their residents, including, most recently, several U.S. states. Additionally, businesses have to flow these other clauses through to multiple tiers of service providers. Addressing these requirements with separate contracts, one country at a time, becomes quickly unmanageable. A medium-size multinational business with subsidiaries, employees and customers in 20 jurisdictions, and vendors in another 20 jurisdictions would need to implement already 400 data transfer and processing agreements. If each of those vendors has another 20 vendors, we are counting 8,000 contracts originating from one multinational business, and that is before we have looked at additional tiers of suppliers and considered that large businesses have thousands of vendors.
Privacy professionals need to develop practical approaches. Companies need to work collaboratively with supply chains and customers to pursue solutions that all businesses can scale globally. In-house counsels cannot afford to focus just on the new SCCs. Multi-stakeholder compliance teams within companies need to address requirements for data from multiple jurisdictions at the same time (see, Determann’s Field Guide to Data Privacy Law, 4th Ed., 2020, Chapter 2). For most service providers, this is not only a compliance topic, but an urgent condition to sales and commercial success (see, Determann/Nebel, TMT Services after Schrems II, IAPP Advisor, July 27, 2020).
Implementing the new SCCs
Just dealing with the latest from the old world presents challenging problems: The new SCCs consist of more than 25 pages – the word count exceeds 11,400 – contain multiple modules, mandate selections, and require companies to fill out Annexes and prepare detailed written descriptions of security measures, processing instructions, and cross-border transfer impact assessments.
Companies must adopt the clauses without revisions or modifications in order to enjoy the corresponding exceptions under the EU General Data Protection Regulation, according to Clause 2. Companies are not prohibited from adding commercial clauses concerning liability, warranties, disclaimers and indemnification but must not contradict Clause 12, e.g., by completely rendering the clauses ineffective by way of an absolute limitation of liability. But, in practice, it is preferable to address risk allocations in separate commercial agreements, to avoid complicating or delaying the implementation of the new SCCs, in which both parties have a common interest. In many cases, the commercial agreements are already in place or being negotiated by separate teams of attorneys and procurement professionals who privacy professionals may prefer not to draw into intricacies of data processing agreements.
In most cases, multiple modules apply to any given business relationship. Therefore, companies should consider adopting the new SCCs in their entirety and defining their applicability to particular data transfers in Annex 1, instead of signing up to individual modules separately.
Multinational companies that insist on separate, direct bilateral contracts between every every subsidiary and subprocessor on the vendor side are demanding the impractical. In most cases, solutions have to include hub-and-spoke contracting models in which one entity in the customer group engages with one entity in the vendor group, and these two entities pass the contractual commitments to their respective affiliates. Incorporation by reference and multiple parties signing one contract should also be considered. To help each other, the parties could agree to sign separate, additional bilateral versions in case of a legitimate need.
Businesses should think long and hard about the PROs and CONs of using the new standard contractual clauses for processing arrangements within the EU (Commission Decision 2021/915). These are shorter and less burdensome, but introduce extra complexities. Alternatively, companies can use the new SCCs across the board for processing agreements within the EU, given the European Commission expressly stated that the new SCCs “should also allow to fulfil the requirements of Article 28(3) and (4)” of the GDPR and constitute “standard contractual clauses pursuant to Article 28(7)” GDPR, see Clause 2 and Recitals 8 and 9 of Commission Decision 2021/914 of June 4, 2021.
With the new SCCs, companies have to document instructions for processors, which can refer to the service provider’s standard technical specifications. Also, companies need to document “transfer impact assessments” pursuant to Clause 14, implementing requirements that the European Court of Justice promulgated in its Schrems II decision and the European Data Protection Board expanded in its final recommendations on June 18, 2021. Several German data protection authorities have started to audit German companies with questionnaires, asking questions such as, “If you have concluded that the recipient can in fact guarantee compliance with the contractual obligations under the SCCs, please describe in detail your reasons for this conclusion and provide appropriate evidence.” Service providers outside the EEA should proactively prepare information for such assessments to render their offerings legally usable for customers in the EEA.
Divided State Law in the United States
Multiple states have passed omnibus privacy laws, inspired by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act. Companies doing business in or with the U.S. must deal with this patchwork until possible harmonization may come from an omnibus US federal privacy law. On the customer and vendor side, companies need to consider their position with respect to “selling personal information,” see Lothar Determann, California Privacy Law, 4th Ed., Chapters 2(C) and (Q). They cannot rely on exceptions for processing arrangements unless they agree on particular terms relating to selling and sharing of personal information for cross context-behavioral advertising. Under the Virginia Consumer Data Protection Act and Colorado Privacy Act, slightly different terms are required for all controller-to-processor flows of personal information. Seemingly simple clauses like “vendor agrees to comply with California privacy laws,” are ineffective and insufficient because customers need statutorily prescribed commitments concerning the use and sharing of the customer’s data.
Some companies have started to integrate legally mandated data processing terms into commercial agreements. Others have create detailed, state-by-state addenda with complicated and repetitive terms. Form agreements often conflate commercial questions (such as risk allocation) with compliance questions (the legal need to put certain contractual terms in place) and lead to lengthy negotiations and documentation that cannot easily be leveraged for new contracts. To avoid the adverse impact on sales cycles and legal budgets, companies should consider consolidating mandated clauses in a concise set of data protection standards they would be willing to agree to as customers or service providers – which most companies are in different parts of their businesses.
Most requirements can be addressed on less than two pages with pragmatic and concise drafting. At the end of the day, processors must commit to using the customer’s personal data only to provide their service and keep the data secure. If one adds a few more statutorily required concepts, one can address 80 to 90% of requirements in data protection laws around the world. Keeping the document as short as possible means there are fewer words for all involved to review and negotiate. And adding terms that are legally necessary should greatly reduce the need for negotiations. What it should come down to between the parties is an alignment on the roles of the parties (controllers-to-businesses or processors-to-service providers) and the rest should follow.
From January 1, 2023, the CCPA includes a third possible characterization of a “contractor” that imposes fewer limitations on processing activities compared to those applicable to a “service provider.” But the contractor characterization is more challenging to align with a processor characterization under the Virginia and Colorado laws as well as the GDPR and therefore a less practical option. To the extent it applies, the U.S. federal Health Insurance Portability and Accountability Act (HIPAA) warrants its own separate “business associate agreement”, but which should also be kept separate from the commercial agreement and only cover the legally required terms.
Countries in Latin America have not yet harmonized their data protection laws or developed a uniform approach to cross-border data transfers.
Argentina and Uruguay have qualified for “adequacy” decisions by the EU Commission. This means companies in the EEA can transfer personal data to these countries without signing the new SCCs or conducting elaborate transfer impact assessments. Yet, companies might want to rely on them anyway in the interest of standardization, because customized agreements as an alternative create additional burdens on contracting processes.
For transfers of personal data from Argentina, the Argentinean Data Protection Authority has published its own model clauses for international data transfers to countries that are not deemed adequate by the Argentinean Authority. The authority might also accept the new SCCs instead of its own model clauses, given that it accepted the earlier versions. The same approach should be viable for Uruguay. Companies that follow this approach should be clear in their contracts that they apply the new SCCs also to personal data concerning data subjects in Argentina and Uruguay. Such a scope expansion seems opportune for countries with GDPR-like laws, in the interest of standardization, but should be avoided for countries with entirely different regimes, particularly those with significant risks of private litigation, like the United States.
Other countries in the region, such as Chile for example, do not have a comprehensive data protection law in place yet, so there are no specific requirements for using SCCs. Yet, other countries that are not deemed adequate jurisdictions by the EU Commission, but that have data protection laws in place and will accept that international data transfers rely on the EU Commission-approved SCCs. In Peru, international data transfers under Peruvian law are authorized if they are supported by a written agreement that will guarantee the same level of protection as Peruvian law and, for that purpose, the old and new EU SCCs are acceptable. In addition to a written agreement, under Peruvian law, data subjects must grant express consent to international data transfers except if necessary for performing a contract with the data subject or in case of public interest.
Last but certainly not least, Brazil has enacted a General Data Protection Law (LGPD) that entered into force in September 2020 and is similar to the GDPR. One of the transfer mechanisms under the law are model clauses, but the Brazilian Authority has not published any yet. Although there is no official statement from the Brazilian Authority in that regard, considering that the law in Brazil was inspired by and follows the same principles as the GDPR, many businesses expect that the new SCCs will be deemed acceptable for personal data transfers from Brazil as well.
Countries in the Asia-Pacific region have not made any real attempts at harmonizing their national privacy laws on a regional basis. Countries that have enacted privacy laws will find them quite different from their neighbors’ laws. But, they have been working on solutions for cross-border data transfers, including within the Asia-Pacific Economic Cooperation (APEC) framework.
Some APAC countries have not yet enacted specific privacy or data protection laws with explicit, omnibus cross-border transfer restrictions, including Vietnam, Indonesia and Thailand. Thailand’s laws have been drafted and are based loosely upon the GDPR; they will come into force next year.
Countries with moderately long-standing privacy laws such as Australia, New Zealand, Singapore, Philippines and Malaysia increasingly align their laws to the GDPR. In many of these jurisdictions, some form of contractual requirement may be required and acceptable to ensure the legitimate transfer of personal data outside of their jurisdictions. Most APAC countries have not prescribed national SCCs or expressly endorsed the EU’s SCCs. Singapore’s Personal Data Protection Commission has acknowledged that the EU SCCs may be adopted, but other countries have remained silent on this point. Therefore, companies have to carefully consider PROs and CONs of expanding the scope of the new SCCs to personal data from these jurisdictions. Many are likely to hold off until clearer needs and benefits emerge, and in the meantime, use more focused and limited commitments as proposed for U.S. privacy law compliance.
The Indian parliament has been debating a new data protection law with many similarities to the GDPR since 2018, see Lothar Determann and Chetan Gupta, India’s Personal Data Protection Act, 2018: Comparison with the General Data Protection Regulation and the California Consumer Privacy Act of 2018, 37 Berkeley Journal of Int’l Law 481 (2019). If this law takes effect, India may promulgate its own standard contractual clauses and hopefully recognize the SCC 2021 to allow standardization.
Japan has an advantage when it comes to transfers to and from the EU. It received a mutual adequacy decision with the EU in January 2019 – the first country to do so after the GDPR went into effect. This allows data transfers of personal data to the EU from Japan to be made freely, and from Japan to the EU with the need of just a simplified contractual arrangement. New Zealand earned adequacy before the GDPR took effect, and South Korea expects to agree on mutual adequacy with the EU soon.
Finally, China’s Personal Information Protection Law takes effect from November 1, 2021, and has many aspects that are similar to the GDPR, but does not fully synchronize with the GDPR or other jurisdictions’ privacy laws. See, Lothar Determann, Tingting Gao, Zhenyu (Jay) Ruan and Jonathan Tam, China’s Personal Information Protection Law, 4 Journal of Data Protection & Privacy 7 (2021). It is anticipated that China will publish its own SCCs instead of accepting the new EU SCCs, but details are not yet available.
Conclusions and Outlook
Data processing agreements are both a sales and compliance topic for many organizations. Customers using cloud solutions hosted globally are being pressured by regulators, litigants, their own data protection officers, and various other stakeholders. Organizations across all jurisdictions and industries need to come up with practical solutions for data processing agreements that can be implemented through the data-processing chain. All feel an urgent need to simplify and standardize.
For all countries within and a few outside the EEA, the new SCCs offer opportunities for standardization. For countries that do not require or reward an expansion of the new SCCs, companies can deploy concise, consolidated data-processing terms that address descriptive national statutory requirements, ideally without repetition and unnecessary complexities.
Businesses need to work collaboratively on this topic and separate contracting for compliance, where their interests are largely aligned, from contracting for commercial risk allocation, where their interests tend to be diametrically opposed. Privacy professionals should take a holistic view and be sympathetic to each contracting party’s position in the supply chain. It is in everyone’s interest to document technical and organizational measures well, satisfy documentation requirements under data protection laws, clarify obligations, and avoid ambiguities, raising amorphous negligence claims in case of a security breach. Customer and service provider each need meaningful, written instructions regarding personal data processing, to keep the customer in control, and both parties able to rely on exceptions from transfer restrictions. Companies within and outside the EEA need the relevant information to document transfer impact assessments, and companies outside the EEA are in a better position to compile the relevant facts.
If organizations or individuals refuse to take compliance-focused, pragmatic and collaborative views, they risk becoming an unnecessary obstacle to data flows and economic cooperation. This will impact their ability to focus on many other – arguably more important – data privacy protection tasks, such as data security, transparency, retention and deletion. They also risk paralyzing their compliance programs and hindering revenue generation. Not one size fits all, but basic principles highlighted in this article apply to most businesses.
The authors are partners at Baker McKenzie, based in Palo Alto, San Francisco, Frankfurt, Sao Paolo and Tokyo respectively. This article reflects their own personal views.