A company’s chain of cybersecurity measures is as strong as it weakest link. To keep supply chains strong and secure, companies have to contractually bind every vendor to apply adequate technical and organizational data security measures (also known as “TOMs). But, this task is becoming harder and harder as more and more jurisdictions are enacting privacy, data protection and information security laws with ever more prescriptive requirements for contract terms in data processing agreements (see, Lothar Determann, California Privacy Law, Practical Guide and Commentary, 4th Ed. 2020, Chapter 5).
Privacy professionals around the world are currently feverishly working on configuring and implementing the EU’s new Standard Contractual Clauses (“SCC 2021”). Since September 27, 2021, companies in the European Economic Area (EEA) are prohibited from sharing personal data with companies in the United States and most other countries, unless the recipient outside the EEA agrees to the SCC 2021, which were published only in June 2021 (see, Elisabeth Dehareng, Francesca Gaudino and Brian Hengesbaugh,The road ahead in an uncertain world of cross-border data transfers, IAPP Advisor, June 2021). Any recipient that signs the SCC 2021, promises that it has matching agreements in place with its own vendors (SCC 2021, Clauses 8.8 and 9). Myriad businesses are affected, because every company has numerous affiliated and unaffiliated vendors and other business partners around the world. All need to have the SCC 2021 in place by September 27, 2021 to remain open to business from the EEA.Businesses struggle, given the enormity of this task.
To further complicate an already difficult situation, many other countries have been imposing requirements on businesses to impose similar and different contract clauses to protect personal data of their residents, including, most recently, several U.S. states. Businesses have to flow through such other clauses also through multiple tiers of service providers. Addressing such requirements with separate contracts, one country at a time, becomes quickly unmanageable. A medium-size multinational business with subsidiaries, employees and customers in 20 jurisdictions, and vendors in another 20 jurisdictions would need to implement already 400 data transfer and processing agreements, and if each vendor has another 20 vendors, we are counting already 8,000 contracts originating from one multinational; this is before we have looked at additional tiers of suppliers and considered that larger businesses have thousands of vendors.
Privacy professionals need to develop practical approaches. Companies need to work collaboratively with supply chains and customers to pursue solutions that all businesses can scale globally. In-house counsels cannot afford to focus just on the SCC 2021. Multi-stakeholder compliance teams within companies need to address requirements for data from multiple jurisdictions at the same time (see, Determann’s Field Guide to Data Privacy Law, 4th Ed., 2020, Chapter 2). For most service providers, this is not only a compliance topic, but an urgent condition to sales and commercial success (see, Determann/Nebel, TMT Services after Schrems II, IAPP Advisor, July 27, 2020).
Implementing the SCC 2021.
Just dealing with the latest from the old world presents challenging problems: The SCC 2021take up more than 25 pages in normal formatting (the word count exceeds 11,400), contain multiple modules, mandate selections, and require companies to fill out Annexes and prepare detailed written descriptions of security measures, processing instructions, and cross-border transfer impact assessments.
Companies have to adopt the clauses without revisions or modifications in order to enjoy the corresponding exceptions from prohibitions of data transfers under the GDPR, see SCC 2021, Clause 2. Companies are not prohibited from adding commercial clauses concerning liability, warranties, disclaimers and indemnification but must not contradict Clause 12, e.g., by completely rendering the clauses ineffective by way of an absolute limitation of liability. But, in practice, it is preferable to address risk allocations in separate commercial agreements, to avoid complicating or delaying the implementation of the SCC 2021, in which both parties have a common interest. In many cases, the commercial agreements are already in place or being negotiated by separate teams of attorneys and procurement professionals who privacy professionals may prefer not to draw into intricacies of data processing agreements.
In most cases, multiple modules apply to any given business relationship. Therefore, companies should consider adopting the SCC 2021 in their entirety and defining their applicability to particular data transfers in Annex 1, as opposed to signing up to individual modules separately.
Multinationals that insist on separate, direct bilateral contracts between every one of its own subsidiaries with every subsidiary and subprocessor on the vendor side are demanding the impractical. In most cases, solutions have to include hub-and-spoke contracting models, whereby one entity in the customer group engages with one entity in the vendor group, and these two entities pass through the contractual commitments to their respective affiliates. Incorporation by reference and multiple parties signing one contract document should also be considered. To help each other out, the parties could agree to sign separate, additional bilateral versions in case of a legitimate need.
Businesses should also think long and hard about the PROs and CONs of using the new standard contractual clauses for processing arrangements within the EU (Commission Decision 2021/915 –https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915). These are shorter and less burdensome, but introduce extra complexities. Alternatively, companies can use the SCC 2021 across the board, also for processing agreements within the EU,given that the European Commission expressly stated that the SCC 2021“should also allow to fulfil the requirements of Article 28(3) and (4)” of the GDPR and constitute”standard contractual clauses pursuant to Article 28(7)”GDPR, see Clause 2 and Recitals 8 and 9 of Commission Decision 2021/914- https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
With the SCC 2021, companies have to document instructions for processors, which could refer to the service provider’s standard technical specifications. Also, companies have to document “transfer impact assessments” pursuant to Clause 14, implementing requirements that the European Court of Justice promulgated in its Schrems II decision [link: https://curia.europa.eu/juris/document/document.jsf?text=&docid=230683&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=6322992] and the European Data Protection Board expanded in its final recommendations on June 18, 2021. Several German data protection authorities have started to audit German companies with questionnaires, including questions such as “If you have concluded that the recipient can in fact guarantee compliance with the contractual obligations under the SCCs, please describe in detail your reasons for this conclusion and provide appropriate evidence.”Service providers outside the EEA should proactively prepare information for such assessments to render their offerings legally usable for customers in the EEA.
Divided State Law in the United States.
Multiple states have been passing omnibus privacy laws, inspired by theCalifornia Consumer Privacy Act(CCPA), as amended by the California Privacy Rights Act.Companies around the world doing business in or with the U.S. must deal with this patchwork until possible harmonization may come from an omnibus US federal privacy law. On the customer and vendor side, companies need to consider their position with respect to “selling personal information,” see Lothar Determann, California Privacy Law, 4th Ed., Chapters 2(C) and (Q). They cannot rely on exceptions for processing arrangements unless they agree on particular terms relating to selling and sharing of personal information for cross context behavioral advertising. Under the Virginia Consumer Data Protection Actand Colorado Privacy Act, slightly different terms are required for all controller-to-processor flows of personal information. Seemingly simple clauses like “vendor agrees to comply with California privacy laws” are ineffective and insufficient, because customers need statutorily prescribed commitments concerning the use and sharing of the customer’s data.
Some companies have started to integrate legally mandated data processing terms into commercial agreements. Others have create detailed,state-by-state addenda with complicated and repetitive terms. Form agreements often conflate commercial questions (such as risk allocation) with compliance questions (the legal need to put certain contractual terms in place) and lead to lengthy negotiations and documentation that cannot easily be leveraged for new contracts. To avoid the adverse impact on sales cycles and legal budgets, companies should consider consolidating mandated clauses in a concise set of data protection standards that they would be willing to agree to as customers or service providers (which most companies are in different parts of their businesses).
Most requirements can be addressed on less than two pages with pragmatic and concise drafting. At the end of the day, processors have to commit to using the customer’s personal data only to provide their service and keep the data secure. If one adds a few more statutorily required concepts, one can address 80-90% of requirements in data protection laws around the world. Keeping the document as short as possible means there are fewer words for all involved to review and negotiate. And by sticking in the data processing agreement to terms that are legally necessary should itself greatly reduce the need for negotiations. What it should come down to between the parties is an alignment on the roles of the parties (controllers/businesses or processors/service providers) and the rest should follow.
From January 1, 2023, the CCPA includes a third possible characterization of a “contractor” that imposes fewer limitations on processing activities compared to those applicable to a “service provider”. But the contractor characterization is more challenging to align with a processor characterization under the Virginia and Colorado laws as well as the GDPR and therefore a less practical option.To the extent it applies, the U.S. federal Health Insurance Portability and Accountability Act (HIPAA) warrants its own separate “business associate agreement”, but which should also be kept separate from the commercial agreement and only cover the legally required terms.
Countries in Latin America have not yet harmonized their data protection laws or developed a uniform approach to cross-border data transfers.
Argentina and Uruguay have qualified for “adequacy” decisions by the EU Commission. This means that companies in the EEA can transfer personal data to these countries without signing the SCC 2021 or conducting elaborate transfer impact assessments. Yet, companies might want to rely on the SCC 2021 anyway in the interest of standardization, because customized agreements as an alternative create additional burdens on contracting processes.
For transfers of personal data from Argentina, the Argentinean Data Protection Authority has published its own model clauses for international data transfers to countries that are not deemed adequate by the Argentinean Authority. The authority might also accept the SCC 2021 instead of its own model clauses, given that it accepted the predecessor versions. The same approach should be viable for Uruguay. Companies that follow this approach should be clear in their contracts that they apply the SCC 2021 also to personal data concerning data subjects in Argentina and Uruguay. Such a scope expansion seems opportune for countries with GDPR-like laws, in the interest of standardization, but should be avoided for countries with entirely different regimes, particularly those with significant risks of private litigation like the United States.
Other countries in the region, such as Chile for example, do not have a comprehensive data protection law in place yet, and for that reason there are no specific requirements for the use of standard contractual clauses. Yet other countries that are not deemed adequate jurisdictions by the EU Commission, but that have data protection laws in place and will accept that international data transfers rely on the EU Commission approved standard contractual clauses. In Peru, international data transfers under Peruvian law are authorized if they are supported by a written agreement that will guarantee the same level of protection as Peruvian law and, for that purpose, the old and new EU SCCs are acceptable.In addition to a written agreement, under Peruvian law,data subjects must grant express consent to international data transfers except if necessary for performing a contract with the data subject or in case of public interest.
Last but certainly not least, Brazil has enacted a General Data Protection Law (LGPD) that entered into force in September 2020 and is similar to the GDPR. One of the transfer mechanisms under the law are model clauses, but the Brazilian Authority has not published any yet. Although there is no official statement from the Brazilian Authority in that regard, considering that the law in Brazil was inspired by and follows the same principles as the GDPR, many businesses expect that the SCC 2021 will be deemed acceptable for personal data transfers from Brazil as well.
Countries in the Asia-Pacific region have not made any real attempts at harmonizing their national privacy laws on a regional basis. Countries that have enacted privacy laws will find them quite different from their neighbors’ laws. But, they have been working on solutions for cross-border data transfers, including within the Asia-Pacific Economic Cooperation (APEC)framework.
Some APAC countries have not yet enacted specific privacy or data protection laws with explicit, omnibus cross-border transfer restrictions, including Vietnam, Indonesia and Thailand. Thailand’s laws have been drafted and are based loosely upon the GDPR; they will come into force next year.
Countries which have moderately long standing privacy laws such as Australia, New Zealand, Singapore, Philippines and Malaysia are increasingly aligning their laws to the GDPR. In many of these jurisdictions, some form of contractual requirement may be required and acceptable to ensure the legitimate transfer of personal data outside of their jurisdictions. Most APAC countries have not prescribed national standard contractual clauses or expressly endorsed the EU’s standard contractual clauses. The data protection authority in Singapore has acknowledged that the EU SCCs may be adopted, but other countries have remained silent on this point. Therefore, companies have to carefully consider PROs and CONs of expanding the scope of the SCC 2021 to personal data from such jurisdictions; many are likely to hold off until clearer needs and benefits emerge and in the meantime use more focused and limited commitments as proposed for United States privacy law compliance.
The Indian parliament has been debating a new data protection law with many similarities to the GDPR since 2018, see Lothar Determann and Chetan Gupta, India’s Personal Data Protection Act, 2018: Comparison with the General Data Protection Regulation and the California Consumer Privacy Act of 2018,37 Berkeley Journal of Int’l Law 481 (2019), https://ssrn.com/abstract=3244203. If this law takes effect, India may promulgate its own standard contractual clauses and hopefully recognize the SCC 2021 to allow standardization.
When it comes to transfers to and from the EU, Japan is in an advanced position, being the first country since the adoption of the GDPR to have a mutual adequacy decision with the EU in January 2019. This allows data transfers of personal data to the EU from Japan to be made freely, and transfers from Japan to the EU with the need of just a simplified contractual arrangement. New Zealand already earned an adequacy finding before the GDPR took effect and South Korea expects to agree on mutual adequacy with the EU in the near future.
Finally, China’s Personal Information Protection Law takes effect from November 1, 2021, and has many aspects that are similar to the GDPR, but does not fully synchronize with the GDPR or other jurisdictions’ privacy laws. See, Lothar Determann, Tingting Gao, Zhenyu (Jay) Ruan and Jonathan Tam, China’s Personal Information Protection Law, 4 Journal of Data Protection & Privacy 7 (2021). It is anticipated that China will publish its own standard contractual clauses as opposed to accepting the EU’s SCC 2021, but details are not (yet) available.
Conclusions and Outlook.
Data processing agreements are both a sales and a compliance topic for many organizations. Customers using cloud solutions hosted globally are being pressured by regulators, litigants, their own data protection officers, and various other stakeholders.Organizations across all jurisdictions and industries need to come up with practical solutions for data processing agreements that can be implemented through the data processing chain. All feel an urgent need to simplify and standardize.
For all countries within, and a few outside the EEA, the SCC 2021 offer opportunities for standardization. For countries that do not require or reward an expansion of the SCC 2021, companies can deploy concise, consolidated data processing terms that address descriptive national statutory requirements, ideally without repetition and unnecessary complexities.
Businesses need to work collaboratively on this topic and separate contracting for compliance (where their interests are largely aligned) from contracting for commercial risk allocation (where their interests tend to be diametrically opposed). Privacy professionals should take a holistic view and be sympathetic to each contracting party’s position in the supply chain. It isin everyone’s interest to document technical and organizational measures well, to satisfy documentation requirements under data protection laws, clarify obligations, and avoid ambiguities giving raise to amorphous negligence claims in case of a security breach. Customer and service provider each need meaningful, written instructions regarding personal data processing, to keep the customer in control and both parties able to rely on exceptions from transfer restrictions. Companies within and outside the EEA need the relevant information to document transfer impact assessments, and companies outside the EEA are in a better position to compile the relevant facts.
If organizations or individuals refuse to take compliance-focused, pragmatic and collaborative views, they risk becoming an unnecessary obstacle to data flows and economic cooperation. This will impact their ability to focus on many other – arguably more important – data privacy protection tasks, such as data security, transparency, retention and deletion. They also risk paralyzing their compliance programs and hindering revenue generation. Not one size fits all, but basic principles highlighted in this article apply to most businesses.