knowledge | 7 December 2020 |

Take Two on Standard Contractual Clauses – The European Commission’s draft new SCCs

Following the Court of Justice of the European Union’s Schrems II decision of earlier this year, the European Commission has recently published a blueprint on drafting standard contractual clauses.

On 12 November 2020, the European Commission published a draft of the new standard contractual clauses (or “draft SCCs”) for the transfer of personal data to third countries, pursuant to the General Data Protection Regulation (“GDPR”), as well as a draft implementing decision on such transfers for public consultation (which ends on 10 December 2020).

Background

Pursuant to Article 46(1) of the GDPR, in the absence of an adequacy decision of the Commission, a controller or processor may transfer personal data to a third country (i.e. a country outside the EEA) where it has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the Commission.

Until now, the “appropriate safeguards” in the form of standard data protection clauses  were based on the Commission’s standard contractual clauses adopted in 2001 and 2010 (the “old SCCs”) for compliance with the GDPR’s predecessor, Directive 95/46/EC. Unsurprisingly perhaps, given their age, the old SCCs fail to take account of a number of data transfer scenarios now encountered by controllers and processors on a day-to-day basis. In addition, the Court of Justice of the European Union’s decision in Schrems II in July of this year (see here for our briefing on this) has cast doubt over whether the old SCCs do in fact provide the appropriate safeguards envisaged under the GDPR for transfer or for effective legal remedies for data subjects.

The New Clauses

The draft SCCs, once in final form and approved, will replace the old SCCs used by “data exporters” and “data importers” as a GDPR-compliant safeguard for transferring personal data to a third country, including third-country based controllers and processors to whom the GDPR applies.

The draft SCCs adopt a “modular approach”, to allow a degree of customisation for parties that capture differing transfer scenarios. The modules comprise transfers from:

  1. controller to controller,
  2. controller to processor,
  3. processor to processor, and
  4. processor to controller.

The inclusion of modules 3 and 4 clauses are a welcome addition, in keeping with the reality and the growing complexity of modern data processing relationships.

The new draft SCCs also include an optional “Docking Clause” which streamlines the mechanism for new parties to accede to the draft SCC clauses at any time. This means that new parties may accede to SCCs already in force between a company and a third country service provider, for example, thereby relieving the company from the burden of entering into a new set of SCCs every time it engages a further third country processor.

Most likely in response to Schrems II, the draft SCCs also place certain obligations on parties in connection with the local laws of the country of destination. The parties will be obliged to warrant that they have no reason to believe that the local laws of the country of destination will prevent the data importer from fulfilling its obligations under the SCCs and, in addition, that they have taken account of certain factors including:

  1. the circumstances of the transfer;
  2. the laws of the country of destination, in light of the circumstances of the transfer; and
  3. any appropriate safeguards in addition to those in the SCCs.

Further, the data importer will have a number of additional obligations in circumstances where it receives a government access request in the country of destination, such as notifying the data exporter where possible, and if it has grounds to do so to challenge the request.

The Way Forward

At the conclusion of the public consultation, the draft SCCs will undergo assessment by the EDPB and the European Data Protection Supervisor (EDPS) before adoption by the Commission through an implementing decision.

In its current form, organisations will have a 12 month transitional period from the date the new SCCs come into force (expected in early 2021) to replace contractual provisions based on the old SCCs. Note, however, that this transitional period will only apply to contracts concluded before the new SCCs come into force. New contractual provisions will also need to account for the EDPB’s draft recommendations on supplementary measures following Schrems II (also due to be finalised in early 2021).

Businesses are, therefore, advised to assess their current third country data transfer arrangements to prepare a smooth transition to the new SCCs.

Also contributed by Siobhán Power & Aishwarya Jha 

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts