Alongside, and perhaps in the shadow of, the European Commission publishing its long-awaited draft new Standard Contractual Clauses (the “New SCCs”) to address the restrictions imposed by the GDPR in relation to making international transfers of personal data (for further details see our blog post here), the European Commission has also published a set of standalone Article 28 clauses for use between controllers and processors in the EU, confusingly also referred to as ‘standard contractual clauses’ (the “Draft Article 28 Clauses”).
While the New SCCs have taken the limelight, the Draft Article 28 Clauses may also have a substantial impact on how controllers and processors subject to the GDPR engage with each other going forwards.
Indeed, the Draft Article 28 Clauses appear to have been broadly extracted from relevant modules and sections of the New SCCs (which, as we explained in our blog post on the New SCCs, contain their own set of Article 28 Clauses interspersed throughout the document), but there are some interesting areas of divergence. We summarise the key takeaways below, and then consider in more detail the Draft Article 28 Clauses, including in light of materials which have come before them and apparently informed them, as well as considering their status and implementation.
The Draft Article 28 Clauses themselves are considered in further detail below (including an analysis of material deviations from the New SCCs and other precursors), however our key takeaways of the clauses in overview are:
- The clauses themselves – Broadly speaking, the Draft Article 28 Clauses are a reasoned, relatively concise and balanced set of provisions, which can be augmented with non-conflicting supplementary measures. While some certain elements appear underdeveloped (e.g. international transfers) or convoluted (e.g. breach notification), and indeed such areas may be resolved post-consultation and/or by subsequent guidance, they act as a useful benchmark for organisations and, to some degree, remove ambiguity around an often contested set of obligations.
- Status – The Draft Article 28 Clauses are non-mandatory and so organisations will be able to continue using their own standard and negotiated positions. As such, there will not need to be an onerous and resource-heavy repapering activity undertaken of an organisation’s current Article 28 provisions (for which data privacy practitioners may rejoice), however…
- Conflict – Consideration will need to be given to how an organisation’s current standard Article 28 clauses are composed compared to the Draft Article 28 Clauses, particularly where current clauses are pro controller or processor in nature. There are two primary reasons for this: (i) subject to how the market responds to these clauses, organisations may find it difficult to justify positions which are materially different to those set out in the Draft Article 28 Clauses; and (ii) where organisations use the Draft Article 28 Clauses and add some of their standard supplementary measures, any which conflict will be overridden. Indeed organisations may consider undertaking a refresh of their standard terms to align them more closely with the Draft Article 28 Clauses, particularly regarding technical and organisational measures where substantial description is now expected and may not have been the norm for organisations before.
- The long term impact – The response to the Draft Article 28 Clauses will be fascinating to watch, particularly as they may well become the norm, accelerating negotiation and with deviation limited to supplementary clauses. Certainly the clauses leave room for discussion, in some areas more than others, but it may be that the European Commission’s seal of approval for these clauses will render any attempted negotiation a non-starter.
Article 28 of the GDPR provides that, where a processor undertakes the processing of personal data on behalf of a controller, the parties must ensure that various elements are included in an agreement between them. This includes information regarding the activity itself (the personal data involved, purpose, duration etc.) as well as obligations on the processor, including undertaking processing in line with documented instructions, assisting the controller with compliance obligations, and deleting or returning personal data at the end of the engagement, amongst others.
Article 28(7) of the GDPR anticipated that the European Commission, or a supervisory authority (Article 28(8)), may adopt ‘standard contractual clauses’ in relation to some of the Article 28 matters, specifically those requirements under Articles 28(3) and (4).
While the introduction of standard Article 28 clauses has been anticipated since the GDPR was implemented in May 2018, the Draft Article 28 Clauses are the European Commission’s first step at adopting such clauses and indeed only the Danish supervisory authority has to date managed to produce a set of “approved” Article 28 clauses (more on which below).
Contents of the Draft Article 28 Clauses
At first glance, the Draft Article 28 Clauses appear to be a sensible and balanced set of provisions, providing (in most cases) a moderate amount of detail in relation to the legal requirements under Article 28 of the GDPR, and are not overly long form.
As noted in the introductory remarks above, the clauses have broadly been extracted from various parts of the New SCCs and a large amount of the drafting is either identical in nature or with alterations which are minor. However there are some deviations worth considering, in particular:
- Security of processing – While the Draft Article 28 Clauses broadly mirror the New SCCs in relation to the security-related obligations imposed on processors, the New SCCs include commentary recommending the use of encryption during data transmission, and anonymisation / pseudonymisation where possible, which is not explicitly set out in the Draft Article 28 Clauses.
The absence of this commentary in the Draft Article 28 Clauses potentially highlights the European Commission’s view that data in transit within the EU is not subject to the same level of risk as data that is transferred internationally, as highlighted by the recent Schrems II decision. Although, if this was the case, many may disagree with this view.
- Use of sub-processors – Where a processor engages a sub-processor, both the Draft Article 28 Clauses and New SCCs adopt almost identical positions, save that where the New SCCs require a written contract to flow down the same obligations, the Draft Article 28 Clauses do not require that it is in writing. This seems a peculiar omission, particularly given the immediately subsequent provision that a processor must provide a copy of such an agreement when requested by the controller.
This may well be an oversight, amended after the consultation period closes for the Draft Article 28 Clauses, (and indeed is somewhat immaterial given the GDPR’s requirement at Article 28(9) that it be in writing) but it does highlight that the Draft Article 28 Clauses are not simply a ‘copy and paste’ from the equivalent provisions of the New SCCs.
- International transfers – The Draft Article 28 Clauses provide that, where a sub-processor in a third country is engaged, the processor and sub-processor may use the relevant Standard Contractual Clauses (“SCCs”), and makes no mention of other applicable mechanisms such as an adequacy decision or other safeguard in accordance with Articles 46 and 47 of the GDPR. This is in contrast to the New SCCs which do provide that level of granularity.
Given the lack of specificity, and indeed the weak ‘may’ obligation on processors to use SCCs, this is an area where parties could augment the Draft Article 28 Clauses to provide more robust guardrails.
- Data subject rights – Where the New SCCs provide fairly high-level requirements regarding the support to be provided by a processor, the Draft Article 28 Clauses provide substantively more detail.
The Draft Article 28 Clauses exhaustively enumerate the rights available to individuals as well as providing additional commentary on breach notification and data protection impact assessment support obligations.
This additional commentary is an instance where the Draft Article 28 Clauses provide perhaps more of a pro-controller position given the additional rigour detailed, which goes beyond that necessitated by the GDPR, but is more aligned with the EDPB Guidance (discussed further below).
- Breach notification – The New SCCs deal with breach notification and support predominantly in a section entitled ‘Security of processing”. However the Draft Article 28 Clauses, while extracting and including substantially the same drafting in an equivalent provision (Clause 7.3), address data breach notifications as part of data subject rights (Clause 8), and in a standalone section (Clause 9).
In some cases the drafting is repetitive (e.g. regarding the information required to be provided such as the likely consequences of a breach), in others clarificatory (e.g. explicitly detailing the relevant GDPR assistance obligations), and some novel (e.g. the introduction of an Annex to detail the elements required to be provided by the processor in such a scenario).
The reasoning for such duplication and inconsistency likely lies in the precedent provisions considered when drafting the Draft Article 28 Clauses (discussed below), however consolidation of these provisions into the new standalone section would likely be preferable (and indeed is something which may be addressed during the post-consultation period) or alternatively parties may put in place supplementary measures to clarify the required process.
- Nomination of Supervisory Authority – There are several points in the Draft Article 28 Clauses (e.g. notifications regarding data breach and termination) which require a specific supervisory authority to be nominated. Such a requirement does not subsist in the New SCCs, and is one which may prove difficult for organisations to satisfy in some circumstances, particularly where multiple jurisdictions are involved in a complex processing activity and, arguably, is not even needed given the caveats to such a requirement that a notification is considered by ‘taking into account the nature of the processing and information available to the data processor’. In other words, different circumstances regarding the same processing activities may require different notification obligations to various supervisory authorities.
Forerunners to the Draft Article 28 Clauses
As noted above, since the implementation of the GDPR, the European Commission has had the option to publish its own standard form of Article 28 clauses. In the absence of this (until now), perhaps the two most major relevant developments have been: (i) the Article 28 Standard Contractual Clauses introduced by the Danish Data Protection Agency (the “Danish Article 28 Clauses”); and (ii) guidance issued by the European Data Protection Board (the “EDPB”) regarding the concepts of controller and processor which touched upon Article 28 clauses (the “EDPB Guidance”) (for further details see our blog post here).
A consideration of these is useful, particularly to understand how the European Commission have gone about the process of drafting the Draft Article 28 Clauses and what aspects have been approached more carefully than others.
In respect of each:
- The Danish Article 28 Clauses are an interesting comparison and their influence can clearly be seen in the Draft Article 28 Clauses. This influence is most evident when considering the provisions addressing data subject rights and the (standalone) breach notification provision, where the drafting has been copied almost wholesale. As discussed above, the Draft Article 28 Clauses go into more detail regarding data subject rights than the New SCCs, and it was perhaps felt that this increased detail would be instructive for controllers and processors.
Given how closely the Danish Article 28 Clauses resemble the Draft Article 28 Clauses in places, it is instructive to consider which elements of the Danish Article 28 Clauses the European Commission opted to omit or significantly amend:
- International transfers – The Danish Article 28 Clauses describe the restrictions and protections that organisations need to put in place before transferring personal data internationally in a similar level of detail to the New SCCs. As noted above, the Draft Article 28 Clauses do not provide nearly the same amount of detail. It may be the case that the drafters wanted to avoid any Schrems II compliance points and leave this to the parties themselves to negotiate and implement.
As such, this is an area in the Draft Article 28 Clauses which appears under-developed both in comparison to the forerunners and indeed market standard. This therefore will likely be an area where parties put in place supplementary measures for clarity.
- Third party beneficiary – The Danish Article 28 Clauses contain an obligation on processors, where they engage a sub-processor, to put in place a third party beneficiary clause for the benefit of the controller to enforce the sub-processor contract directly against the sub-processor in the event of their bankruptcy. While this made it into the New SCCs in predominantly the same form, it is absent from the Draft Article 28 Clauses.
The rationale for its exclusion is unclear but, potentially in line with the approach of taking a balanced position (e.g. the Draft Article 28 Clauses also do not contain some unusually one-sided provisions from the Danish Article 28 Clauses, such as an obligation on the controller to provide sufficient information to the processor to undertake their own independent risk assessment of the processing activities), this provision has not been incorporated.
- Annex content – The Annexes of the Danish Article 28 Clauses contain substantial optional drafting regarding the details of the processing to be undertaken by the processor on behalf of the instructing controller.
While this accords with the EDPB Guidance that Article 28 clauses should set out this information in detail, the European Commission appears to have steered away from this approach when drafting the Draft Article 28 Clauses, instead leaving it to the parties to determine the form and content of the Annexes in general, including in relation to the details of the processing. This is likely to be welcomed as it enables parties to consider and determine what is really necessary to include, without being straightjacketed by drafting, albeit optional.
- The EDPB Guidance sets out a number of requirements regarding what would be expected to be included within a set of Article 28 clauses. In the main, the Draft Article 28 Clauses contemplate and achieve what is suggested in the EDPB Guidance, although they do not go as far with the level of granularity suggested by the EDPB Guidance (e.g. there is no express obligation on a processor to receive controller approval before making changes to technical and organisational measures).
In addition, the EDPB Guidance makes clear that information regarding security measures (or reference to them) must be set out in Article 28 clauses, and the Draft Article 28 Clauses set out a substantial array of placeholders which it suggests the parties should populate with information describing the arrangements in relation to items such as encryption, storage protections, minimisation, and data quality, amongst others.
This is information which parties in controller-processor relationships may well not have included in their Article 28 clauses to date, or at least not to the degree expected by the EDPB Guidance and as reflected in the Draft Article 28 Clauses. While the Draft Article 28 Clauses are not mandatory (more on which below), organisations may need to consider refreshing their Article 28 clauses to account for this expectation.
Status and Implementation
Pursuant to Article 2 of the draft implementing decision, the Draft Article 28 Clauses are not mandatory in nature, but are certified as sufficiently fulfilling the requirements for contracts between controllers and processors under Article 28 GDPR (Article 1).
As such, organisations will be under no obligation to put them in place once they have been finalised and formally adopted. This should come as a relief to data privacy practitioners already contemplating significant re-papering exercises as a result of the requirements recently published by the European Commission and EDPB in relation to other aspects of privacy compliance.
What will likely require some more considered thought though, is how organisations’ current standard Article 28 clauses are positioned with regard to the Draft Article 28 Clauses. This will be important as organisations’ current provisions will most likely be swayed to some degree in their favour (i.e. pro-controller or pro-processor). However, while such positions (and indeed other negotiated positions) are still perfectly legitimate, organisations may increasingly find it difficult to justify positions which substantially diverge from the Draft Article 28 Clauses. Indeed organisations may wish to consider undertaking a refresh of their standard Article 28 clauses in light of the Draft Article 28 Clauses, particularly given the latter may well become the norm.
Furthermore, where Draft Article 28 Clauses are utilised, any supplementary contractual measures agreed between parties will need to align with them. The hierarchy clause in the Draft Article 28 Clauses makes clear that any conflict will be resolved in favour of the Draft Article 28 Clauses, and so organisations who seek to supplement them with their own previous standard positions will need to ensure that they are compatible. It is no doubt likely that this will be a fertile area for discussion, for example the imposition of stricter termination rights, broader audit requirements, or more detailed information provision expectations.
It should also be noted that the Draft Article 28 Clauses are still out for consultation, a period which is due to end on 10th December, after which some movement may be expected. We will perhaps receive a finalised set of Article 28 clauses in early 2021.
The Draft Article 28 Clauses can be seen as a useful development in clarifying the positions and respective obligations between controllers and processors in the EU. There has long been considerable discussion regarding what is, in fact, appropriate and sufficient in order to meet the Article 28 requirements and, if nothing else, these Draft Article 28 Clauses provide a European Commission-approved benchmark against which organisations can consider their current and in force controller-processor standard contractual positions. To some extent then, the Draft Article 28 Clauses have removed ambiguity around what is acceptable and not in such provisions. It is however nonetheless disappointing that it has taken the European Commission over two years to produce this draft, during such period, organisations have had to spend time and resource negotiating their own version of Article 28 clauses.
What will be perhaps be more interesting is, post-implementation (and given their non-binding nature), the extent to which they become the default in the market. It may be that the inclusion of the Draft Article 28 Clauses becomes the standard position with negotiated provisions falling out of favour, particularly where they look to be pro-controller or processor. Certainty this would make negotiations quicker and easier and consideration would then need to be given to whether any contractual terms could usefully supplement the Draft Article 28 Clauses.
Given the variations between the Draft Article 28 Clauses and the forerunners to them, one should also closely watch for how the finalised clauses appear. While some of the areas discussed above may be addressed, there is also the possibility that the clauses introduce further or slightly different obligations to those expected and for controllers who undertake transfers both within and outside of the EU, any material differences in approach may well have operational consequences.
Despite this, in a period of rapid-fire data protection-related announcements which in some cases have created more confusion and uncertainty than clarity, the arrival of the Draft Article 28 Clauses (notably non-mandatory in nature and not necessitating a repapering activity) perhaps provides some brightness to the overwhelmed data privacy practitioner.