The New SCCs Part 2
Practical Aspects of the New SCCs
By Dan Or-Hof Adv, CIPP/E, CIPP/US, CIPM, FIP
June 27, 2021
On June 4th, 2021, the European Commission adopted revised standard contractual clauses for international transfers (the “New SCCs”). The New SCCs were published officially on June 7th this year.
This is the second post of a series about the practical aspects of the New SCCs. This time we focus on the warranty and assessment.
Under Clause 14 (a) of the New SCCs, the parties must warrant that they have no reason to believe that the laws of the destination country, especially related to disclosure of data to authorities, will prevent the data importer from fulfilling their obligations under the SCCs.
There are three observations associated with the Clause 14 warranty:
- Mutual Warranty
The Clause 14(a) warranty is mutual, not just the importer’s. Presumably, it requires the exporter to take an active role in the assessment under Clause 14(b) that substantiates the warranty.
Does this mean that the data exporter must conduct its own research and analysis, or join hands with the data importer, rather than rely on the data importer’s findings and statements?
It appears that the though the data exporter provides a warranty, it does not need to conduct an independent assessment.
Under Clause 14(c) of the New SCCs, the data importer (only the data importer) must warrant that “in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information.”
The outcome is that the data exporter can rely in its warranty on facts gathered and presented by the data importer.
However, does it absolve the data exporter from running its own checks?
This is not clear from the wording of Clause 14, and until we receive a clear answer, we will likely need to adopt to more stricter approach, i.e., advise exporters to do their own research.
- Risk Assessment and Interplay with the EDPB Recommendations
The assessment required under Clause 14 involves a mix of factors, divided into three areas:
- The specific circumstances of the transfer;
- The laws and practices of the destination country, especially those laws related to access by authorities; and,
- Additional contractual, technical and organizational safeguards that the parties will use.
The combination of the first and second groups of factors provide a viable option to argue that the transfer does not pose a high risk. For example, one of the criteria under the first group of factors is “the economic sector in which the transfer occurs”. Under the second group of factors, the parties need to assess the authorities’ rights to access data that are “relevant in light of the specific circumstances of the transfer”. Accordingly, this is a case-sensitive assessment and the parties may reach a conclusion that the risk in the data transfer is not high under the specific circumstances. The parties may also argue that their sector is of no interest to US intelligence agencies, pursuant to the September 2020 Joint US White Paper on data transfers after SchremsII.
The third group of factors will likely interplay with the recently published final version of the EDPB recommendations on supplemental transfer tools.
Given that most companies will not stop at phase 3 of the EDPB recommendations, and will opt to rely on supplemental safeguards, the options and use cases presented in the recommendations, will likely also support the parties’ assessment and warranty under Clause 14.
- An On-Going Process
Under Clause 14 (c) of the New SCCs, the data importer warrants that “it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.”
Does it mean that the data importer must continue conducting Clause 14(b) assessments on an on-going basis?
How closely must the data importer monitor the destination country’s laws, and especially those laws, rules, regulations and caselaw that govern authorities’ right to access data, not just under the law, but in practice as well?
The answers to these questions are unclear, and in our view post a substantial degree of uncertainty over the scope of efforts and resources that entities, especially data importers, need to invest, in order to comply with the New SCCs.
Read our 1st post on the operational and financial aspects of Clause 15 of the New SCCs.