You may have seen yesterday that the European Commission have released the long awaited new set of draft Standard Contractual Clauses for the transfer of personal data to third countries (“New SCCs”).
Whilst we never thought the day would come, the timing is interesting given the Schrems ii decision this summer which has brought data transfer mechanisms under the microscope (see our Passle here on Schrems ii).
Here is a quick summary on the New SCCs and the implications on data transfers.
What is the status of the New SCCs? The New SCCs are currently in draft version and open for consultation until the 10 December 2020. They are likely to be finalised in the first part of next year (we think March/April bearing in mind the hoops that need to be gone through) and organisations have 1 year from the date of entry into force to put the New SCCs in place (“Transition Period”).
What transfers will the New SCCs cover? The New SCCs will cover transfers of personal data from within the EU to entities located outside of the EEA on the following basis:
- Controller to controller;
- Controller to processor;
- Processor to controller; and
- Processor to processor.
This is very welcome news to a lot of organisations, particularly given the previous lacuna in law where the standard contractual clauses set out in Decisions 2001/497/EC, Decisions 2004/915/EC (C-C) and 2010/87/EU (C-P) (“Old SCCs”) did not account for transfers on a processor-controller basis or processor-processor basis (lots of fudging has taken place). Once the New SCCs are in force, they will replace the Old SCCs - although bearing in mind the Transition Period.
How are the New SCCs structured? The bad news is that we still do have some paperwork to deal with. However the good news is that rather than having multiple sets of clauses, the New SCCs are structured as general clauses, combined with a modular approach to cater to various transfer scenarios. The approach has been taken on the basis that European Commission recognises in its decision that since the adoption of the Old SCCs ‘important developments have taken place in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.’ Therefore the European Commission believes this revised approach approach will cater to the complexity of modern processing chains. This is of course is the theory, so lets see how they work in practice!
Under the new structure:
- controllers and processors can select the module which is applicable to their situation;
- more than two parties can adhere to the New SCCs; and
- controllers and processors will be permitted to sign up to the New SCCs as both data exporters and data importers throughout the life cycle of the contract the New SCCs are being incorporated into.
The New SCCs are also drafted in a way that are much more closely aligned with the GDPR principles, for example, purpose, transparency, accuracy and data minimisation, storage limitation, security of processing etc. This means they are simpler to read and the proposed C-P/P-C clauses sit together far better than the previous Old SCCs alongside Article 28 data processing agreements.
What new obligations do the New SCCs contain? The New SCCs contain similar-ish obligations to the Old SCCs, but they are just more aligned to the GDPR principles. They also include various obligations on the data importer/data exporter which will make it easier for data subjects to exercise their rights, for example while parties can select the governing Member State law of the New SCCs, such law must allow for third party beneficiary rights (i.e. data subject rights). They also contain more obligations on importers/exporters to assist data subjects with exercising their rights, as well as generally better individual redress mechanisms.
Do we still need to do a risk assessment? While the New SCCs contain revised obligations, organisations will still need to carry out a risk assessment relating to a data transfer if they wish to rely on the New SCCs for the data transfer, in line with the Schrems ii decision. Helpfully the European Data Protection Board (“EDPB”) has issued this week recommendations on supplementary measures, including a 6 step guidance on how to carry out risk assessments and a second document on essential guarantees that data exporters should require (been a busy week for Europe!).
If having done this risk assessment, a risk is identified, the data exporter will still need to implement the supplementary measures advised by the EDPB alongside the New SCCs.
Please note that the supplementary measures recommended by the EDPB are split into technical, contractual and organisation measures. Helpfully the New SCCs do include some of the supplementary contractual measures, such as:
- data exporters have the right to suspend transfers and where there are serious issues around compliance have the right to terminate the contract where the data importer is in breach of or unable to comply with the New SCCs; and
- warranties from the parties that they have no reason to believe that the laws applicable to the data importer are not line with the requirements of the New SCCs.
What does this mean for your contracts and what should you be doing in the interim? Although the New SCCs are still in draft, organisations now have a format to follow. Data processing agreements should be reviewed and where appropriate updated to a) include the additional supplementary measures per the EDPB guidance and b) ensure the structure works with slightly revised structure of the New SCCs.
Until the New SCCs are in force (as mentioned above, likely early next year), organisations can continue to rely on the Old SCCs. Once the New SCCs are in force, data exporters and data importers may for a period of one year from the date of entry into force of the Decision implementing the New SCCs, continue to rely on the Old SCCs for the performance of a contract concluded between them before that date, provided the contract remains unchanged, with the exception of necessary supplementary measures in order to ensure that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679.
This is likely to be helpful given the changes the parties will need to navigate when implementing the New SCCs!!
In more significant news out of the EU this week, the European Commission Thursday released its draft implementing decision on standard contractual clauses for the transfer of data to third countries.