Share This Article
I summarize the main changes introduced by the new standard contractual clauses on data transfers and why they matter so much in this podcast.
As part of the podcast “Laws of Disruptors”, I tackle in 5 minutes the pivotal innovations introduced by the European Commission on the new sets of Standard Contractual Clauses regulating data transfers, also in the view of the Schrems 2 case.
You can find below the transcript of the podcast:
The European Commission approved a new set of Standard Contractual Clauses that will address transfers of personal data outside of the European Union.
The main changes are that they address a new type of data transfer from processor to processor and from processor to controller that were scenarios not addressed by the previous version of the Standard Contractual Clauses. Also, onwards transfers are addressed and in general terms there is a control on all the supply chain, covering also the situation where there is a known an EU entity to which the GDPR applies.
The second peculiarity is that we have a single set of Standard Contractual Clauses with some modules, some choices that need to be taken which has the consequence that their implementation is not just a copy and paste exercise. There are substantial obligations on the exporter in order to check the ability of the data importer to ensure compliance with the clauses. There isn’t a specific reference to the implementation of any sort of checklist, it’s up to the data exporter to decide how to check the compliance of the data importer. There is a very broad liability clause uncapped and also the fact that the Standard Contractual Clauses prevail over contrasting additional contractual arrangements makes sure that any liability cap will be difficult to be enforced because it will be in contrast with what is provided by the SCCs.
There is the tackling of the Schrems II case since, as expected, the Standard Contractual Clauses are not the solution to the data transfer. They expressly require to perform an assessment of the laws of the importing country, of the technical organizational and contractual measures that are implemented or the peculiarities of the data transfer and in this context, a tool like a DLA Piper’s transfer tool that is a legal tech tool and a methodology in order to assess the risks connected to the data transfer which has become something essential in any kind of organization because it allows to speed up the process of assessment that otherwise will be very time consuming, and time is not something that we have, because the new Standard Contractual Clauses will become effective 21 days after the publication on the Official Gazette from that time there will be a three-month window where parties can decide to use the old or the new version of the SCCs, but then you have a 15-month period in which you need to replace all the Standard Contractual Clauses with the new ones. It seems a long period of time but as I said before it’s not a copy and paste exercise.
The SCCs embed the data processing agreement so you will have to see which of the provisions of the existing data processing agreements are not covered by the Standard Contractual Clauses. You will have to run new negotiations between the parties likewise you will have to run, as I mentioned before, the assessments on the laws of the data importing countries, also since there is a control on all the supply chain or on the onwards transfers even M2M are impacted if the ultimate entity to which they provide the service will process personal data because the SCCs will also apply in a relationship between processors and sub-processors, and therefore there will be a reshuffling of all the relationships between the parties in a timeframe that again appears long but definitely is not
