The publication of the new standard contractual clauses is a step ahead for data transfers, but considerable new obligations are imposed on businesses.
This article was initially published on DLA Piper Privacy Matters blog.
On 12 November 2020, the European Commission published its long-awaited updated draft Implementing Decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. The update to the SCCs has been expected for some time to address the entry into force of the General Data Protection Regulation (“GDPR”) in May 2018, as the existing set of SCCs were implemented under the old Data Protection Directive and still referenced that legacy regime. The delay to the update has been caused by the on-going dispute in Schrems II regarding the validity of SCCs as a measure for providing appropriate safeguards for transfers of personal data outside the EEA. An issue that was only resolved by the European Court of Justice (“CJEU”) in July this year with the well-known Schrems II decision.
The publication of the European Commission’s draft SCCs is timely given the EDPB’s publication only the day prior of recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as Recommendations on the European Essential Guarantees for surveillance measures.
The main takeaways from the draft SCCs are:
- consolidation of the full range of SCCs that may be required into one document which sets out the relevant clauses that apply on a modular basis, depending on the controller / processor relationship of the data importer and data exporter. Welcome news for organizations is that they have been expanded to include terms for processor to processor and processor to controller transfers (currently not addressed in the existing set of SCCs).
- provision for multi-party use, as well as an optional clause that allows additional controllers and processors to join throughout the life cycle of the SCCs.
- update to include the necessary Article 28 processor terms set out in the GDPR. The position still remains that the SCCs cannot be modified, meaning data importers will be unable to negotiate more favorable data processing terms to those contained in the SCCs.
- inclusion of new clauses to address the specific concerns raised by the CJEU in Schrems II. In particular:
- A contractual requirement to carry out and document the assessment described by the CJEU of the laws of the third country in order to determine whether the SCCs can in fact guarantee an equivalent level of protection, and a warranty with respect to the same. This includes taking into account the “specific circumstances of the transfer”, the laws of the third country of destination; any additional safeguards such as technical or organizational measures; and ensuring effective enforcement by requiring the data importer to submit to the jurisdiction of the applicable Member State law, authority and court and facilitate data subjects right of redress.
- Reference to the steps to be taken in the event the SCCs do not provide an equivalent level of protection in light of the laws of the third country, such as implementing additional technical or organisational measures, and, failing this, the suspension of the transfer and right to terminate the contract. It also includes instances in which the data exporter must notify the supervisory authority.
- Additional transparency obligations on the data importer in the case of government access requests, including an obligation to notify the data exporter of such requests or, where it is prohibited from doing so by local law, using best efforts to obtain a waiver to this prohibition.
- ability for the parties to select the governing law of any Member State which reflects the fact that the SCCs may cover multiple transfers.
The draft SCCs are now subject to an initial public consultation running until 10 December 2020. Following the conclusion of that process, the Commission will then publish a final draft (likely by the end of the year) which will then be subject to Committee consultation by representatives of each EU Member State. In the meantime, we expect to see a joint opinion from the EDPB and the European Data Protection Supervisor on the draft which will be considered by the Commission in the final publication. It remains to be seen whether this will be complete in time for the SCCs to apply to the UK, or whether the UK will adopt similar or alternative SCCs under the UK GDPR regime following Brexit.
Once adopted, organizations will have a year to update their contracts to include the updated SCCs once it enters into force.
We will continue to monitor and reflect on what is a complex and evolving regulatory position and provide updates with our further considerations in the coming weeks.