European Commission publishes final Article 28 clauses

Simultaneous with the European Commission publishing its final standard contractual clauses for the international transfer of personal data (see our blog post here for further information) (the "New SCCs"), they have now published a final set of standalone Article 28 clauses for use between controllers and processors in the EU, also termed 'standard contractual clauses' (the "Final Article 28 Clauses") (available here).

Publication of the Final Article 28 Clauses follows, in late 2020, the publication of a draft version of the clauses (the "Draft Article 28 Clauses") (for more information on which see our blog post here (the "Draft Article 28 Clauses Blog")).

While the Final Article 28 Clauses will not be mandatory, they may have a material impact on the ways in which controllers and processors who are subject to the GDPR work with each other. In this blog post we look at the movement from the Draft Article 28 Clauses to the Final Article 28 Clauses and the key points raised by them, as well as their forerunners, the UK position, and some practical considerations.

Key Takeaways

• Status and conflict – The Final Article 28 Clauses remain non-mandatory and so their introduction will not necessitate a repapering activity. However there remains the potential for conflict where negotiated provisions and the Final Article 28 Clauses do not align, particularly if the market takes a specific approach, where the Final Article 28 Clauses are used in combination with supplementary measures, or where international transfers require the use of the New SCCs (and incorporated Article 28 provisions). In the latter two cases in the event of conflict, each of the New SCCs or the Final Article 28 Clauses will override any negotiated provisions.
• The Final Article 28 Clauses – The Final Article 28 Clauses remain a reasoned, relatively concise, and balanced set of provisions which continue to take their lead from the New SCCs. In comparison to the Draft Article 28 Clauses, the Final Article 28 Clauses have been tidied and clarified by removing drafting issues (e.g. breach notification) and impractical positions (e.g. nomination of a supervisory authority), as well as moving more towards the position taken in the New SCCs. Some elements remain underdeveloped (e.g. international transfers) and in some instances a more extensive approach has been taken (e.g. non-compliant instructions) but generally they act as a useful benchmark for organisations and, to some degree, remove ambiguity around an often contested set of obligations.
• The long term impact – Whether the Final Article 28 Clauses will become the default, accelerating negotiation and with deviation limited just to any supplementary clauses, remains the key thing to watch, particularly in the context of the Final Article 28 Clauses aligning with the approach in the New SCCs which are mandatory as well as any deviation brought in by the UK (although this does not look likely at the moment). Certainly the Final Article 28 Clauses leave room for discussion, in some areas more than others, but it may be that the European Commission’s seal of approval for them will render any attempted negotiation a non-starter.

Legal Background

Greater detail is provided in the Draft Article 28 Clauses Blog, but to summarise: Article 28 of the GDPR requires that various minimum contractual terms must be included in an agreement where a controller engages a processor to process personal data on behalf of the controller and Article 28(7) anticipated that the European Commission, or a supervisory authority (Article 28(8)), could adopt ‘standard contractual clauses’ in relation to some of the Article 28 matters, specifically those requirements under Articles 28(3) and (4).

Prior to the Draft Article 28 Clauses, only the Danish Data Protection Agency had produced a set of 'approved' clauses (the "Danish Article 28 Clauses") which appear to have been leveraged by the European Commission in preparing the Draft Article 28 Clauses, as well as guidance issued by the European Data Protection Board ("EDPB") regarding the concepts of controller and processor which touched on Article 28 clauses (the "EDPB Guidance") (see the 'Forerunners to the Draft Article 28 Clauses' section of the Draft Article 28 Clauses Blog).

Following publication of the Draft Article 28 Clauses and a period of consultation including some delay, the European Commission published the Final Article 28 Clauses in final working documents on 4th June, with publication in the Official Journal swiftly following.

The Draft Article 28 Clauses and the Final Article 28 Clauses

As with the New SCCs following on from their draft version, the Final Article 28 Clauses do not substantively differ from the approach presented in the Draft Article 28 Clauses. Instead the Final Article 28 Clauses tidy and clarify some of the issues highlighted in the Draft Article 28 Clauses, while also aligning them with the minor amendments made to the Article 28 elements of the New SCCs.

The Final Article 28 Clauses remain a moderately detailed, balanced, and pragmatic set of provisions. We detail the material deviations from the Draft Article 28 Clauses, and discuss some of the primary considerations of the Final Article 28 Clauses, below.

• Status and conflict

 There has been no material change to the approach of the Final Article 28 Clauses being non-mandatory in nature. As discussed at the 'Status and Implementation' section of the Draft Article 28 Blog and 'Practical Considerations' section below, while organisations will be under no obligation to put the Final Article 28 Clauses in place (unlike the New SCCs), organisations will need to consider carefully the interplay between the Final Article 28 Clauses and standard, negotiated versions as well as alignment with any supplementary contractual measures agreed between parties.

The decision implementing the Final Article 28 Clauses will enter into force 20 days following publication in the Official Journal of the European Union, after which it will be instructive to see how and to what extent organisations look to adopt and align their standard Article 28 clauses with the Final Article 28 Clauses.

• Additional Provisions

The Final Article 28 Clauses have introduced some new or reworked elements from the Draft Article 28 Clauses, notably including the following:

• Breach Notification

Clause 9 regarding notification in the event of a data breach has been reworked into two distinct elements regarding different breaches and respective obligations on the processor: (i) breach by the controller; and (ii) breach by the processor.

While this reworking can be seen as welcome with more clearly defined obligations on the processor in relation to different types of data breach, this arguably extends the expectations on the processor in a controller breach situation, an approach not adopted by the New SCCs. As the processor would likely have had limited involvement in a controller breach scenario, commonly its obligations under negotiated Article 28 clauses would be a general one of assistance where reasonably required rather than granular expectations.

However, although the Final Article 28 Clauses do provide more granularity in detailing the information which the processor must assist with helping the controller to provide as part of a notification, in practice there will perhaps be little the processor can actually do or provide in such a controller breach scenario.

• Non-compliant instructions

Where a processor receives instructions from the controller which are not compliant with EU or national law, the Final Article 28 Clauses now contain an explicit requirement on the processor to notify the controller of such instance (unless legally restricted). Such an addition aligns with those commonly negotiated, however notably the Final Article 28 Clauses include a right for the processor to terminate the contract (in so far as it relates to the processing of personal data) where, having informed the controller that an instruction is non-compliant, the controller insists that the processor follows the instruction. This is perhaps not a commonly negotiated right for processors and indeed it does not appear in the New SCCs in this form.

It would, of course, not be likely or in the interests of a controller to persist with instructions where a processor notifies them that such instructions were non-compliant, but the inclusion of this provision certainly adds more teeth from the perspective of the processor.

• Docking clause

As with the New SCCs, the Final Article 28 Clauses enable other parties to "dock" into the Final Article 28 Clauses during the life cycle of a contract, either as controllers or processors. Whilst the process is straightforward by simply updating and signing the list of annexed parties, it will be important to ensure that any such amendment is appropriately considered / addressed elsewhere in a wider agreement, particularly where the Final Article 28 Clauses are annexed to that agreement which refers out to them.

• Alignment with the New SCCs

In general, many of the changes made to the Final Article 28 Clauses in comparison to the Draft Article 28 Clauses have been to align them with the approach taken in the New SCCs. These include, for example: the requirement on a processor to include a third party beneficiary clause in a sub-processor contract to enable the controller to terminate such contract and retrieve data in the event the processor ceases to exist; the explicit inclusion of an obligation on the processor to assist the controller with keeping data accurate and up to date; and pairing back the detailed list of rights available to individuals and associated additional commentary.

There are some instances though where the alignment has notably not been carried through completely or a different approach has been taken (but to a less material degree than those discussed at the 'Additional Provisions' section above):

• Security of processing

Minor amendments have been included to align the Final Article 28 Clauses with the equivalent provisions in the New SCCs, however one amendment which has not been carried across remains the absence of commentary recommending the use of encryption during data transmission, and the use of anonymisation and pseudoymisation techniques where possible. As discussed in the 'Security of processing' section of the Draft Article 28 Clauses Blog, this may be due to a European Commission view that international transfers of data are riskier than those within the EU.

• International transfers

Interestingly, where before there was a weak 'may use' obligation for parties to use the SCCs in situations where a processor engaged a sub-processor, this has changed so that the parties 'can ensure compliance' with the relevant requirements of GDPR by using the New SCCs. Other mechanisms such as an adequacy decision remain unmentioned (unlike in the New SCCs), however the certainty provided by this stronger wording suggests that the European Commission may not be expecting more robust guardrails to be added to augment the Final Article 28 Clauses in such situations.

The Final Article 28 Clauses also do not provide the same level of detail which the New SCCs do on the restrictions and protections which organisations need to put in place prior to an international transfer. This therefore remains an area which appears under-developed, perhaps to avoid any Schrems II compliance issues (see our blog post here), and instead passing them off to parties to negotiate and implement.

• Nomination of Supervisory Authority and Breach Notification

As discussed in the Draft Article 28 Clauses Blog, there were aspects of the Draft Article 28 Clauses that appeared difficult to satisfy or were ill thought through. The Final Article 28 Clauses however provide clarity and tidy most instances of this.

There are now no longer various points where a specific supervisory authority must be nominated, instead only the 'competent supervisory authority/ies'. This updated approach provides greater latitude for parties to the Final Article 28 Clauses to take the steps necessary in light of the particular processing and context of the required notification(s), rather than being overly prescriptive at the point when the agreement containing the Final Article 28 Clauses is executed.

There had formerly been some inconsistency and duplicative drafting regarding breach notification, however the Final Article 28 Clauses have tidied this up and consolidated the relevant provisions into a standalone section (Clause 9), as well as reworking the section to deal with different types of breach (see 'Additional Provisions' section above).

Forerunners to the Final Article 28 Clauses

In the Draft Article 28 Clauses Blog we discussed the Danish Article 28 Clauses and EDPB Guidance which appeared to be leveraged by the European Commission in preparing the Draft Article 28 Clauses.

Broadly, the Final Article 28 Clauses have maintained the position discussed with the changes detailed in the sections above moving towards a more balanced position and on occasion away from the sometimes overzealous approach of the Danish Article 28 Clauses and EDPB Guidance, for instance continuing to not include the very prescriptive drafting regarding the content of the Annexures and pairing back the commentary on data subject rights.

This is likely to be welcomed in that it enables the parties to consider and determine what they may wish to include additionally, without being straightjacketed by minimum drafting which is highly detailed, albeit optional.

UK Position

While the ICO has stated that it is preparing its own standard contractual clauses in relation to international transfers of personal data, it is not apparent whether it is now or will in future prepare standard contractual clauses regarding Article 28 obligations (for which it is permitted to do pursuant to equivalent implementing provisions under the UK version of the GDPR).

Given the indication that the UK will pursue a more relaxed, business-minded approach to data, and the fact that the Final Article 28 Clauses are non-mandatory, it is perhaps unlikely that the ICO will prioritise preparation of such clauses (either by leveraging the Final Article 28 Clauses and their forerunners or suggesting a novel approach), instead leaving such clauses to be commercially negotiated.

However the introduction of the Final Article 28 Clauses is not immaterial to UK-based controllers and processors as, depending on the extent to which they become the default in the market and given their alignment with those in the New SCCs which may impact UK-based data importers and exporters, any UK-based deviation from their approach could add complexity and potential conflict.

Practical Considerations

The primary consideration, for which data practitioners may well rejoice, is that unlike the invalidation of the Safe Harbor and EU-US Privacy Shield, implementation of the GDPR, expiry of the Brexit transition period, and introduction of the New SCCs, the Final Article 28 Clauses do not require any material, immediate action to active agreements, contracting approaches, or otherwise.

The non-mandatory nature of the Final Article 28 Clauses means there will likely be a bedding-in period during which it will become clearer the extent to which organisations wish to leverage the Final Article 28 Clauses, although it should be noted that given they broadly align with the New SCCs (which are mandatory in international transfer situations where other legal bases do not apply) it is perhaps to be expected that they will to some extent become the norm over time.

Therefore there are aspects to consider, particularly if an organisation is considering utilising the Final Article 28 Clauses (either immediately on implementation or following a market shift in due course), including:

• The extent to which the Final Article 28 Clauses align or conflict with an organisation's standard, negotiated versions of them. An organisation's version will likely be pro-controller or processor (depending on the activity and agreement in scope) and, while they will remain legitimate positions, an organisation may need to consider how to create alignment, particularly in circumstances where the Final Article 28 Clauses become the norm or where a combination of the Final Article 28 Clauses and standard versions are intended (as the hierarchy clause in the former will resolve such conflict in its favour). Such a review may highlight that a refresh of contractual provisions is necessary.
• If the Final Article 28 Clauses are used and supplementary contractual measures are agreed between parties in a negotiation, given the hierarchy clause, organisations will need to be cognisant of how their hitherto 'normal' contracting and negotiating approach will work with the Final Article 28 Clauses to ensure that they dovetail.

Conclusions

The Final Article 28 Clauses can be seen as refining and improving the approach of the Draft Article 28 Clauses, themselves a useful development in clarifying the positions and respective obligations between controllers and processors in the EU (and likely the UK). Indeed, they now provide a European Commission-approved benchmark which organisations can use to review their in-force controller-processor standard positions.

The non-mandatory nature of the Final Article 28 Clauses provides some relief for data practitioners in that a (further) onerous repapering exercise is not required and the generally balanced approach of the terms may, where they are used, render negotiations swifter and simpler.

However the post-implementation period will be instructive as it may be that, if the market moves to using the Final Article 28 Clauses by default, organisations will need to consider reworking template agreements and their approach to controller-processor terms, as well as ensuring that they can satisfy the operational elements expected of them by way of the contractual obligations under the Final Article 28 Clauses. This therefore remains an area to keep an eye on.