On 4th June 2021, the EU official journal released a document titled “Commission implementing decision (EU) 2021/914” as a guide to incorporation of new SCC draft. This is being put into practice by 27th September 2021 and all contracts between EU data exporters and Indian data importers may be subject to review.
The text of the publication is available here.
Some essential features of this development is captured here.
- The role of standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers.
- the controller or processor are free to include those standard contractual clauses in a wider contract provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.
- Controllers and processors are encouraged to provide additional safeguards by means of contractual commitments that supplement the standard contractual clauses
- The use of the standard contractual clauses is without prejudice to any contractual obligations of the data exporter and/or importer to ensure respect for applicable privileges and immunities.
- The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of the Regulation .
- With some exceptions, in particular as regards certain obligations that exclusively concern the relationship between the data exporter and data importer, data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses as third-party beneficiaries. …Therefore, while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.. (#1)
- In order to ensure effective enforcement, the data importer should be required to submit to the jurisdiction of such authority and courts, and to commit to abide by any binding decision under the applicable Member State law. (#1)
- Annex to the notification provides the Standard Contractual clauses
- There are four modules of the SCC, one for Transfer of data from controller to controller, second for transfer from Controller to processor, third for transfer from Processor to Processor and fourth for transfer from processor to controller. (#2)
It is important to recognize that the use of a particular model of SCC is based on the identification of whether the data exporter or the importer is a controller or processor. The use of the Module 4 indicates a possibility that there may be a data exporter who is a processor but transfers the data to a controller under a contract of his own.
The context in which this contract is to be used will be an important decision to be taken by the companies in India.
Module I, II and III are more straight forward since they determine the flow of instructions from an upper data-riparian party to a lower data-riparian party. Module 4 however is different.
The notification is a mix of provisions applicable to the four modules and to understand the same, we need to segregate the 18 clauses into each of the four different modules.
(Further detailed analysis may be necessary to understand the complications that may arise in drafting a viable contract or vetting the contract that may be provided by a data exporter from EU.)
Naavi
Notes:
#1: This indicates that the importer’s obligation to provide enforcement rights to data subjects is meant for member states and not for other sovereign countries. However, the general definition of data importer and the need for SCC actually arise for data transfers outside the EU. Hence there is a little ambiguity on how a data importer who is a commercial entity agree to accept obligations which may not be permitted under the local laws. In this context the responsibility of the Controller to confirm that it warrants that reasonable efforts have been taken by him to determine if the data importer is able to satisfy the obligations (Clause 8 of Annexe) becomes critical.
#2. GDPR recognizes three roles in a data processing contract namely, “Controller”, “Joint Controller” and “Processor”. In this context an SCC from the “Processor” to a “Controller” appears to be a strange construct. But it may take into account cases where a data controller is located outside EU (processing the GDPR data) and engages the services of a Data Processor inside EU who may in turn use a sub processor outside EU. In such a case the Data Processor inside the EU may require to secure his interests to be compliant with GDPR and this contract may help that cause. It may apply to cases where a company outside EU is the controller and the processor in EU is its subordinate office.