On 25 May 2022, the European Commission published a set of Questions and Answers (Q&As) to clarify the practical implementation of the new sets of Standard Contractual Clauses (SCCs), adopted in June 2021 (Decision 914/2021/EU). Contracts based on the earlier sets of SCCs will no longer be a lawful basis for international data transfers after 27 December 2022 (Q&A No. 22).
As a reminder, SCCs are standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They are based on a triangular relationship, whereby the obligations assumed by the data importer and the data exporter (the parties to the contract) by virtue of their contractual agreement can be enforced by the data subject, acting as a third-party beneficiary.
SCCs are, by definition, incorporated within an international contract between a controller/processor of personal data established in the EU (or subject to the GDPR pursuant to Article 3(2) thereof) and a controller/processor established in a third country and placed beyond the scope of application of the GDPR (cf Q&A No. 24). Owing to their congenital “foreign element”, these contracts must speak the language of private international law (PIL), at least in cases where they are concluded between two commercial entities (see Q&A No. 2 for the potential range of users of the SCCs). In this respect, the Commission’s Q&As bring along welcome clarifications concerning some of most recurrent PIL issues arising out of these clauses, such as those regarding the contents and limits of conflict-of-laws party autonomy and the interplay between these contracts and the legal order (notably, the overriding mandatory rules) of the receiving third country.
While being of certain interest for the private international lawyer, the relationship between local laws (objectively applicable to the data importer) and the SCCs remains extremely complex and it deserves its own blogpost. For this reason, Section A of this blogpost will briefly present the major “PIL innovations” brought along by the 2021 SCCs, focusing solely on choice of law and choice of court clauses. Section B will then point to some unresolved issues that presently find no answer in the Commission’s Q&A (nor elsewhere).
A. Modernised SCCs and PIL: What’s New
The first and most evident innovation brought along in 2021 consists in an attempt at simplification of the regulatory environment. The three distinct sets of SCCs adopted under Directive 95/46 [Decision 2001/497/EC (SCCs for controller to controller transfers), Decision 2004/915/EC (alternative set of SCCs for controller to controller transfers) and Decision 2010/87/EU (transfer of personal data to processors established in third countries)] have been replaced by two sets of SCCs: one concerning the relationship between controllers and processors to fulfil the requirements in Article 28(3) and (4) of the GDPR; one dealing with SCCs as a tool for the transfer of data outside the EEA. The latter present an innovative modular structure consisting of 4 “modules”, covering four transfer scenarios (cf Q&A Nos 21 and 27): transfer from EU-based Controller to Non EU-based Controller (Module 1); transfer from EU-based Controller to Non EU-based Processor (Module 2); transfer from EU-based Processor to Non EU-based Processor (Module 3); transfer from EU-based Processor to Non EU-based Controller (Module 4).
The parties have to combine “general clauses” (that are applicable regardless of the specific transfer scenario) with the module(s) that applies to their specific situation.
For the purposes of the present blogpost, only the SCCs as a tool for the transfer of data outside the EEA will be considered, as specifically concerns the Clauses dealing with applicable law (A.1) and jurisdiction over remedies (A.2).
A.1 Applicable law
The regime governing the choice of the applicable law has undergone significant modifications in the 2021 restyling. To fully grasp these innovations, it is useful to briefly present, at the outset, the previous regime(s) established by the SCCs adopted under Directive 95/46/EC.
– Applicable Law under the Previous SCCs Regime
Concerning applicable law, the previous sets of SCCs clearly regarded international data transfers as a dynamic process, consisting of three distinct strands.
First, the processing of personal data by the data exporter, including the transfer itself, were governed, up to the moment of the transfer, by the objectively applicable data protection law [clause 4 of the SCCs set out by Decision 2001/497/EC; clause I(a) of the SCCs set out by Decision 2004/915/EC; clause 4 of the SCCs set out by Decision 2010/87/EU]. The “objectively applicable data protection law” is, in this context, the Member State law applicable to the EU-established controller by virtue of EU law itself (ie the law determined pursuant to Article 4 of Directive 95/46/EC until 23 May 2016, and by Article 3 GDPR after this date. This law now includes the GDPR-complementing provisions issued by the Member States based on the opening clauses scattered throughout the GDPR, whose spatial scope of application remains uncertain in current law).
Second, the processing of personal data by the data importer, occurring after the transfer to the third country, was seen as a separate processing operation, placed beyond the scope of the direct application of EU law, and governed by the law chosen by the parties to the SCCs. There was not, however, an unrestricted freedom of choice, which was limited to:
(1) the law of the Member State where the data exporter was established [clause 5 (b) first indent of the SCCs set out by Decision 2001/497/EC; clause II(h)(i) of the SCCs set out by Decision 2004/915/EC];
(2) the provisions of an adequacy decision applicable to the third country where the data importer is established, even if such adequacy decision was not applicable ratione materiae to this importer, provided that such provisions were of a nature which made them applicable in the sector of that transfer [cf. Clause 5 (b) second indent of the SCCs set out by Decision 2001/497/EC; clause II (h)(ii) of the SCCs set out by Decision 2004/915/EC];
(3) a (more or less) extensive set of “mandatory data protection principles”, set out in the annexes of the SCCs [clause 5 (b) indent of the SCCs set out by Decision 2001/497/EC; clause II(h)(iii) of the SCCs set out by Decision 2004/915/EC].
Evidently, it is not possible to qualify the choices made under (2) or (3) as a veritable “choice of governing law”: said provisions or principles would have been applied in conjunction with a national law (objectively) applicable to the data importer under local PIL.
Finally, all three sets of SCCs contained a provision entitled “governing law”, whereby “the Clauses shall be governed by the law of the Member State in which the data exporter is established” (respectively clauses 10, IV and 9). The actual scope of this choice of law clause shall be read in the light of what has been said regarding the first two strands of the data processing operation: vis-à-vis the first step, there is no room for party autonomy and the chosen law cannot directly govern the processing operations carried out by the exporter within the EU, including the transfer. The processing of the transferred data by the importer in the third country must also be excluded from the scope of the chosen “governing law”, otherwise the (different) choice eventually made under (2) or (3) above would have been deprived of practical significance. In essence, the law appointed under the clause entitled “governing law” was therefore limited to the “contractual issues” posed by the SCCs (validity, form, nullity, consequences of the total or partial breach etc).
– The 2021 SCCs
The 2021 SCCs did not change the approach with respect to the first strand of the data transfer operation, which remains subject to the “objectively applicable law”, ie the GDPR as eventually complemented by the applicable Member State law (see Clause 2).
With respect to the second strand, the new SCCs took away the possibility of choosing between different alternatives as regards the legal regime applicable to the processing operations carried out by the importer in the third state. The obligations of this party vis-à-vis the exporter and the data subjects are now set out in greater detail in the SCCs themselves, without any specific reference to a national governing law. Clause 4 specifies, in any event, that the SCCs shall “be read and interpreted in the light of the provisions of Regulation (EU) 2016/679”.
Finally, there is, just as in the previous sets of SCCs, a clause (Clause 17) titled “Governing law”, which is quite innovative as compared to its predecessors. Consistently with the “modular structure” of the SCCs, this clause presents different wordings depending on the specific transfer operation at stake.
- For transfers from controller to controller (Module 1), the parties are free to choose the law of one of the EU Member States, subject to the sole requirement that such law allows for third-party beneficiary rights. In particular, neither the clause itself nor the Q&A require an objective connection between the chosen Member State and the transfer operation: the laws of the Member States are deemed perfectly fungible in this respect.
- This unrestricted freedom of choice disappears for Modules 2 (transfer from controller to processor) and 3 (transfers between processors): the law of the Member State where the exporter is established applies in principle, unless it does not allow for third parties beneficiary rights. In that case, the parties must choose the law of another Member States that allows for such rights (again, no objective connection is required).
- Module 4 (transfers from processor to controller) deals with the situation of a non EU-established controller that transfers data to a EU-established processor (eg. outsourcing of payroll services to a EU company). This transfer comes under the scope of EU law once the EU-based processor sends the data back to its controller, established outside the EEA. Given that this data was originally placed under a different (and possibly less protective) legal regime, EU law relaxes some of its requirements and the SCCs allow, in this case, for an unrestricted choice of applicable law (cf. Q&A No. 37). It is uncertain as to whether this unrestricted freedom of choice continues to exist if the data transferred by the processor partially originates in the EU: in this case, in fact, the Q&As specify that the relaxation of other requirements no longer applies (cf. Q&A 44). Despite the silence of the Q&As on this specific point, the same solution seems required as concerns the governing law.
A lingering uncertainty concerns the scope of the governing law and, in particular, the question as to whether it extends to directly regulating the processing operations carried out by the data importer in the third country. According to Q&A No. 37, this law “will govern the application of the SCCs”. It is also stressed that Clause 17 shall be read in conjunction with Clause 4, whereby the interpretation and application of the SCCs should conform to, and should not contradict, the GDPR. Nonetheless, throughout the Q&A, the governing law is mentioned with respect to marginal contractual issues such as formal requirements (Q&A No. 6); the formalisation of the parties’ consent within the docking clause (Q&A No 12); the time limits (Q&A No. 37).
A.2 Jurisdiction over Remedies
With respect to jurisdiction for remedies, the previous sets of SCCs were consistent in that they enabled the data subject who invoked third-party beneficiary rights to sue one or both parties to the contract in the Member State where the data exporter was established, without prejudice to any other substantive or procedural rights he may have had under national or international law.
The new SCCs (Clause 18) are, at once, more detailed and more liberal on this point, insofar as they set out, concerning modules 1, 2 and 3, the general principle whereby “any dispute arising from these Clauses shall be resolved by the courts of an EU Member State”. This provision is particularly important from a systemic point of view, as it makes sure that, irrespective of the law governing the processing activities carried out by the importer, the most important principles of EU data protection law would be enforced in any case as overriding mandatory provisions of the forum.
Clause 18 then requires the parties to expressly designate the court of a Member State: again, the freedom of choice seems unrestricted and no longer dependent on the existence of an objective connection between forum and dispute. Letter (c) of that Clause adds the most important innovation, insofar as it allows the data subject to bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. This choice of court agreement extends the procedural rights granted to the data subject by Article 79 GDPR, a provision that opens a ground of jurisdiction solely with respect to actions brought against the EU-established data exporter, jurisdiction for any action brought against the third-country data importer being left, under than provision, to national PIL.
It must be stressed on that Q&A No. 33 contains a somewhat confusing reference to national law, as it states, concerning the forum opened by letter (c), that “such actions can be brought before the competent court of the EEA country (as determined by national law) in which you live …”. Nonetheless, the data subject’s possibility of suing the data importer in the Member State of his/her habitual residence should depend not on the (dubious) existence, in national law, of a forum actoris, but rather on the choice of court agreement resulting from the combined reading of letters (c) and (d) of Clause 18 (the latter stating that “[t]he Parties agree to submit themselves to the jurisdiction of such courts”). A totally different question is knowing whether, and under which conditions, the designated court will enforce this choice of court agreement: in case the Brussels I bis Regulation is not deemed applicable to these contracts (see Section B), the answer to this question will indeed depend on the (non uniform and potentially inconsistent) national laws of the Member States.
A derogatory regime is set in place for Module 4, which allows the parties to designate any court, ie even the court(s) of a third country. In this respect, however, Q&A No. 33 specifies that this shall not affect the procedural rights conferred to the data subject vis-à-vis the data exporter under Article 79 GDPR
B. Modernised SCCs and PIL: What’s Unresolved
Despite the useful clarifications brought along by the Commission Q&As, concerning notably the room for manoeuvre given to the parties to the SCCs regarding choice of law and choice of court agreements, there still exists some major open questions regarding the practical operation of these PIL devices, that are liable to impinge on the effectiveness of SCCs as a tool for the effective protection of European personal data in case of extra-EEA transfers.
It must be remembered that the main purpose of the SCCs is to “provide a comprehensive data protection framework that has been developed to ensure continuity of protection in case of data transfers to data importers that are not subject to the GDPR” (Q&A No. 24). Within this framework, the third-party beneficiary rights granted to the data subject play a pivotal role, as evidenced by the importance attached to them during the choice of the governing law (supra, Section A.1). Third-party beneficiary rights are a key-element of the so-called “private enforcement” of EU data protection law, insofar as they allow the data subject to directly invoke the protection vested by the GDPR and the SCCs both against the importer and the exporter, and to do so before a court in the EU.
Intuitively, the effective ability of the data subject to ground the jurisdiction of such courts and to invoke the application of said law will depend on the procedural treatment of these choice-of-law and choice-of-court agreements in the seised/designated courts. In this respect, the applicability of both the Brussels Ibis and the Rome I Regulations to the SCCs remains controversial, and finds no clarification in the Commission’s Q&As. Conversely, both the SCCs and the Q&As seem to simply assume that these choice-of-law and choice-of-court agreements will be enforced by any court in the EU.
B.1 Civil and Commercial Matters?
The Brussels I bis and the Rome I Regulations (as well as the Hague Convention on Choice of Court Agreements) apply in “civil and commercial matters”. A recent and exhaustive summary of the (uniform) meaning of this expression in EU PIL can be found in the Opinion of AG Szpunar and the judgment rendered by the ECJ in Rina. Regard should be had, in particular, to the need of ensuring that the Regulations are broad in scope (§ 31 of the judgment in Rina) and to the “the elements which characterise the nature of the legal relationships between the parties to the dispute or the subject matter thereof” (§ 32). This assessment aims at excluding that one of the parties (or both) is acting in the exercise of “public” powers, ie “powers falling outside the scope of the ordinary legal rules applicable to relationships between private individuals” (§ 34).
Against this backdrop, it is worth stressing that the SCCs set up by the Commission can be used by the parties (which, in most cases, will be private commercial operators) without the prior approval by a public authority, the competent DPA. The triangular relationship between the data importer, the data exporter and the data subject heavily relies of private contract law. If it is true that these are all factors that may vouch for the inclusion of SCCs within the scope of “civil and commercial matters”, the fact remains that the Commission’s Q&As stress, on many occasions, the specific “nature” of the SCCs and the ensuing limits placed on the parties’ substantive party autonomy: “if the parties change the text of the SCCs themselves (beyond the adaptations mentioned below) they cannot rely on the legal certainty offered by an EU act” (Q&A No. 7, emphasis added). It will likely be for the ECJ to determine whether the specific nature of “EU act” attached to the SCCs and the limitations it entails for ordinary contract law are enough to exclude a characterisation as “civil and commercial matters” for the purposes of EU PIL.
If the Brussels 1bis Regulation was deemed applicable ratione materiae, it would ensure the effectiveness of the above-mentioned choice-of-court agreements throughout the EU. The fact that said agreements are invoked by a third-party beneficiary should not pose any problem in the light of the Gerling case law. Clearly, the Brussels Ibis Regulation would not be applicable to choice of court agreements concluded under Module 4, in cases where jurisdiction is conferred upon a third-state court.
B.2 A “Free” Choice of Governing Law?
The applicability of the Rome I Regulation to the SCCs elicits more substantial doubts.
To begin with, it is uncertain as to whether the choice of law made by the parties under current Clause 17 can be deemed “free” in the sense of Article 3 thereof. Setting aside the non-problematic case of the (unrestricted) freedom of choice available for Module 4, Module 2 and 3 confer very limited leeway: the parties must choose the law of the Member State where the data exporter is established, deviations being admissible solely if this law does not allow for third-party beneficiary rights (it must be added that the unrestricted freedom of choice which follows from this circumstance is at odds with the limitation set by the general rule: a “cascade” list of options or, even better, a rule turned around a “close(st?) connection” with another Member State would have been a more logical complement to the general rule).
As concerns the requirement that the choice of law made under Article 3 of the Rome I Regulation shall be “free”, it is worth stressing that both the Opinion of AG Campos Sánchez-Bordona and the judgment of the Court in Gruber Logistics started from the assumption that a “choice” of law which is actually imposed by law would be incompatible with this provision (respectively, §§ 97-101 of the Opinion and § 39 of the judgment). In the same case, the Court clarified that regulation does not prohibit the use of standard clauses which are pre-formulated by one of the parties (or, it must be assumed, by a third party). In such a case, freedom of choice, within the meaning of Article 3, can be exercised by consenting to such a clause and is not called into question solely because that choice is made on the basis of a pre-formulated clause.
The compatibility of Clause 17 of the SCCs with the Rome I Regulation teeters along the fine line which separates an ex lege imposition of an applicable law and the sheer pre-drafting by the Commission. It must be stressed, in this respect, that SCCs are established through an Implementing Decision of the Commission, but they can be used by the parties on a voluntary basis to demonstrate compliance with data protection requirements (Q&A No. 1). Nonetheless, if the parties choose to resort to these standard clauses, they are not free to amend the wording of Clause 17, besides the exercise of the freedom of choice (if any) explicitly allowed under that provision. If this provision is amended, the parties need to submit their contract to the DPA for prior approval, to be able to proceed with the transfer. It is highly doubtful that a DPA would approve a contract containing, for example, a choice of third-country law for the transfer scenarios corresponding to Modules 1, 2 and 3. In fact, in the Schrems II, the ECJ attached great importance to the safeguards following from the application of the law of the Member State where the exporter is established, when assessing if the protection granted by the former SCCs was “essentially equivalent” to that guaranteed within the Union (§ 138).
B.3 Universal Application v Restrictions to the Freedom of Choice
More fundamentally, it must be determined whether the Rome I Regulation is compatible with the “geographical” restriction of the parties’ freedom of choosing the applicable law. This problem is shared by Modules 1, 2 and 3: the chosen law shall be, in all of these cases, the law of a Member State, whereas a choice of third-country law would be totally admissible under the combined reading of Articles 2 and 3 of the Rome I Regulation. From the standpoint of the general theory of PIL, behind this asymmetry lie irreconcilable philosophical stances as concerns the international interchangeability of (private) laws. The Rome I Regulation starts from the assumption of a perfect interchangeability between all the (private) laws of this world, irrespective of their specific contents, and subject to a sheer ex post control through the gateway of the public policy exception. Conversely, the Commission’s SCCs (and probably the GDPR itself) adopt a more prudential approach based on an ex ante pre-selection of laws (those of the Member States of the EU) which, because of their contents, can be deemed “essentially equivalent” in terms of the protection granted to personal data. Again, this is a thorny issue that the ECJ might likely have to resolve in the near future, considering that, according to the Commission, SCCs are, at present, “the most popular tool” for transferring personal data outside the EEA in accordance with the GDPR (Q&A No. 3).