On November 12, 2020, the European Commission (EC) published a long anticipated draft of new Standard Contractual Clauses (SCCs) for the transfer of personal data from the European Economic Area (EEA) to third countries whose privacy regimes are not deemed “adequate” by the EC. The new draft SCCs were finally updated to align with the GDPR, which entered into force two and a half years ago. The draft SCCs also attempt to address concerns raised by the Court of Justice of the European Union (CJEU) in Schrems II (see our previous OnPoint on this) which invalidated the EU – U.S. Privacy Shield and raised questions about the validity of the current SCCs for data transfers to third countries (and in particular the U.S.). The draft SCCs were accompanied by a consultation draft implementing decision. With no replacement for the Privacy Shield immediately in sight, and absent approved certifications or self-regulatory codes of conduct for cross border data transfers, the draft SCCs may enable companies to make use of this updated mechanism to continue to legalize cross-border data transfers.
Public consultation is open until December 10, 2020 and comments may be submitted here. Given this timeframe, it seems unlikely that the SCCs will be finalized by the end of the year but note that, following the EC’s adoption of the updated SCCs companies will have one year to transition from the current SCCs to the new ones and take on what could be a hefty re-papering exercise of existing contracts.
The draft SCCs were published the day after guidance was released by the European Data Protection Board (EDPB) to “ensure compliance with the EU level of protection of personal data” in relation to access by foreign law enforcement and intelligence agencies.
Key Changes
The draft SCCs, which remain non-negotiable except for the addition of commercial terms that do not conflict with the SCC provisions, consist of four “modules” (e.g., versions) to be used depending on the data transfer use case and the exporter’s and importer’s status under the GDPR. These modalities are:
- Controller to Controller
- Controller to Processor
- Processor to Sub-Processor
- Processor to Controller
The current SCCs (Controller to Controller and Controller to Processor) may only be used where the exporter is established in the EEA whereas the draft new SCCs specifically cater for non-EEA data exporters which are subject to the GDPR. This, and the new Processor to Sub-Processor and Processor to Controller SCCs will expand the availability of SCCs to instances where there is no EEA-based controller exporter which is a welcome development for many processors and their customers.
The draft SCCs also purport to allow the parties to fulfil Article 28 terms for processors. The provisions do not seem as extensive as the European Data Protection Board has suggested such terms need to be when commenting on the draft Article 28 standard clauses submitted by supervisory authorities, and so businesses may find that there are differing standards for Article 28 compliance depending on the relevant supervisory authority (and if that supervisory authority has adopted Article 28 standard clauses for use) and whether there are any cross-border data transfers. This option offers the benefit of streamlining the contracting process by eliminating the need for a separate data processing agreement but processors may find that they are less able to include processor-favorable terms.
Finally, as noted above, the draft SCCs include provisions aimed at addressing the concerns of the CJEU in Shrems II. The draft SCCs appear to reflect a concerted effort by the EC to ensure the clauses withstand the kind of challenge that was fatal to the Privacy Shield and has jeopardized their use for data transfers from the EEA to the U.S. Hence – the inclusion of obligations to assess the risk of foreign law enforcement or intelligence agency access to personal data that is disproportionate and offers no recourse to data subjects. The draft SCCs include clauses mandating a multi-step assessment and implementation of technical, organizational and administrative safeguards. Note though that the draft SCCs would not absolve businesses of the need to undertake their Schrems II assessments (see our OnPoint for further guidance), they simply put it on a contractual footing. Therefore, organizations will want to assess what arrangements they may need to put in place to conduct the type of diligence on foreign law that is now required and how they intend to respond to requests from foreign law enforcement or intelligence agencies.
We will continue to monitor developments, including developments related to the consultation of and any amendments to the draft SCCs as well as any further guidance from data protection authorities.
