On June 4th 2021, the European Commission published the final working documents of the new standard contractual clauses (SCC). Since then, the new SCC have been published in the official journal of the European Union. Since the Schrems II decision of the European Court of Justice set stringent criteria for the use of the existing SCC, privacy professionals and businesses alike have eagerly awaited publication of new standard contractual clauses. Now that the new SCC have been published, the question arises: were these standard contractual clauses worth the wait?
By Cécile van der Heijden
The answer to the above questions is ambiguous: yes and no. The new SCC offer a great improvement compared to the existing SCC, but they do not resolve all issues caused by the Schrems II decision. Hereinafter, I will discuss this in more detail.
Relevance of SCC for the life sciences sector
The GDPR sets a stringent regime for transfers of personal data. Albeit the word transfers tends to be used in various meanings throughout (data protection) contracts, the GDPR refers to transfers as the situation where a party established outside of the EEA obtaines access to the personal data, either via provision thereof or by being given access to data located in the EEA. A transfer of personal data is only allowed if one of the hierarchical transfer measures documented in chapter V of the GDPR is applied.
Particularly for the life sciences sector, personal data is highly relevant and seldom remains stationary in a single country. Medical devices are placed on the market in the EEA by non EEA-based manufacturers. These manufacturers may process personal data concerning EU citizens to offer a service to the data subjects (i.e. via an app) or in order to register device incidents. Manufacturers of medical devices are also obliged to conduct post-market surveillance under the Medical Devices Regulation (Regulation (EU) 2017/745) which may constitute post-market clinical follow-up requiring information about the patient. Furthermore, raw study data may be used by medical devices manufacturers and pharmaceutical companies to place a new intervention on the market in another territory, requiring provision of the raw study data to the competent authorities in the new territory. Not all of these purposes can be covered by the other transfer measures laid down in chapter V of the GDPR.
A brief recap
The transfer measure with the highest ranking concerns the adequacy decision. This requires a decision of the European Commission establishing that the level of data protection offered by a specific country is adequate compared to the golden standard offered by the GDPR. Adequacy decisions are the only transfer measure which do – in general – not require additional action from the parties involved in a transfer. In the Schrems II decision, the European Court of Justice established that the European Commission incorrectly determined that the US offered an adequate level of data protection. This is where the trouble with the SCC also originates from.
In the Schrems II decision, the European Court of Justice not only declared the EU/US adequacy decision invalid, but also decreed that for the use of SCC, the parties transferring the personal data should verify that the country in which the recipient is established provides an equivalent level of protection compared again against the golden standard. It goes without saying that this exercise, undertaken for every country to which personal data is transferred by a company, requires more resources than many (small and medium size) companies are able to dedicate to this requirement.
This was – in practice – a breaking point with common practice prior to this decision. SCC were largely used as fill in the blank exercises in relation without any significant review of the data protection laws in the countries of the recipient. In my opinion, this was partially caused by supervisory authorities not doing any significant follow-up in relation to transfers. Notwithstanding, Schrems II caused a lot of unclarity, as the decision also threatened to prevent the use of SCC for transfers to the US without – in many cases – any adequate alternatives. For the life sciences sector, this would have had significant consequences in light of patient safety and product development.
The existing SCC, which are currently in use were a legacy from the data protection regimen under the EU Data Protection Directive preceeding the GDPR. The existing SCC only covered transfers between two controllers (with the transferring controller being established in the EEA) and between a controller and a processor (with the transferring controller being established in the EEA). Technically, the existing SCC could not be used for transfers from an EEA-based processor to either a controller or another processor. Albeit some competent supervisory supervisory authorities appeared to allow for use of the existing SCC outside of their original scope (i.e. between two processors), the use of SCC for transfers outside this intended scope was always an uneasy fit.
The new SCC remedy this. Annex I to the Appendix of the SCC explicitly calls for the parties entering into the SCC to select which transfer relationship is applicable. There are four options:
– controller to controller (module 1);
– controller to processor (module 2);
– processor to processor (module 3);
– processor to controller (module 4).
Notwithstanding, it is still obligatory to conduct a test of national law in the country of recipient against the golden standard of EU data protection law under the GDPR. Consequently, it is still possible for national law to fall short of providing an adequate standard of data protection equivalent to the golden standard. The obligation to conduct such review will still require quite some resources from the transferring party. So far, mass guidance on a national level has not yet been made available. We are therefore dependent on case law such as the Schrems II decision which will not always be positive in nature. The new SCC do not take away limitations set by national law and still require in-depth due diligence and supplementary measures.
The new SCC partially implement measures suggested by the European Data Protection Board (in which all national competent supervisory authorities are represented). Unfortunately, the EDPB guidance on supplementary measures still stands and should be considered in addition to the SCC. Contrary to the old SCCs, the new SCC still require significant work from any party looking to transfer personal data.
Change of scope
There is also good news. Previously, the old SCC were applied on a territorial base: if the recipient was not established in the EEA, a transfer measure was required. In its implemeting decison, the Euopean commission has made a significant switch by stating:
“The standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer).“
The GDPR does not only apply to parties establised in the EEA, but also to parties that are suject to the extra-territorial scop of article 3 GPDR, for example due to the monitoring of the health of a data subject. Until now, it was excepted as GDPR-canon that any transfer of personal data to a third country, regardless of the applicability of the extra-territorial scope, required a transfer measure under chapter V of the GDPR (such as SCC).
The above quote from the new SCC implies that the European Commission seems to be of the opinion that a party already subject to the GDPR – regardless of its physicial location – does not require a transfer measure to receive personal data from the EU. If this interpretation is correct, then it would be a significant departure from canon and definately worth the wait as it would save several medtech companies a lot of additional hoops to jump through. This interpretation would also hold merrit for the applicability of other transfer measures to parties subject to the territorial scope.
Notwitstanding, this interpretation would be contradictory to the requirements set by the European Court of Justice in the Schrems II decision of equivalent levels of protection in the country where the recipient is established and could serve as a shortcut around problematic national law in those countries. It remains to be seen whether this interpretation is acceptable to competent supervisory authorities and my expectation is that more activistic competent supervisory authorities (such as the Dutch competent supervisory authority – based on my experience with them) will not look kindly on companies seeking to ‘limit equivalent data protection’ by not using a transfer measure.
The SCC have entered into force on 25 june 2021. Article 4 of the desicion of the European Commissio concerning the new SCC contains an transitional period of one year and three months. The SCC laid down in either Commission Decision 2001/497 (controller-controller transfers) or Commission Decision 2010/87/EU (controller-processor transfers) that are used in a contract prior to 27 september 2021 shall be considered appropriate safeguards until 27 december 2022. This however only applies if the processing operations involved remain unchanged and the transfer is subject to appropriate safeguards. This may mean that the guidance concerning supplementary measures provided by the EDPB must be applied. Companies that currently rely on the old SCC, quite some work is required in revisiting existing agreements.
For new transfers, the new SCC must be used from 27 september 2021 onward.
You may have noticed that article 4 of the implementing decision concerning the new SCC only lists two sets of old SCC rather than the three existing sets. This may have been a mistake, but it could be argued that as the implementing decision for the third set (Commission Decision 2004/915/EC) technically concerns an amendment of the older Commission Decision 2001/497 (controller-controller transfers) in addition to creating a separate set of SCC. Notwithstanding, it remains to be seen how competent supervisory authorities interpret the lack of a reference to Commission Decision 2004/915/EC. Companies relying on Commission Decision 2004/915/EC would however do well to take the adage ‘better safe than sorry’ to heart and to upgrade to the new SCC without delay.
About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law and healthcare law in the life sciences sector and Floris van der Laan, a paralegal with interest in technology and its connection to EU privacy and data protection law. Both are based in Amsterdam, the Netherlands.
This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.
DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via: email@example.com