On 12 November, the European Commission published its revised draft Standard Contractual Clauses for consultation (New SCCs). Once approved, the New SCCs will constitute an appropriate safeguard for making international transfers of personal data under the General Data Protection Regulation 2016/679 (GDPR).
The release of the New SCCs may seemingly have been expedited by the Court of Justice of the European Union’s recent “Schrems II” decision, which struck down the EU-US Privacy Shield. Many businesses have since been forced to rely on the existing standard contractual clauses (Existing SCCs) when making EU-US data transfers – which has highlighted, in a very public way, the limitations of the Existing SCCs. In particular, that the Existing SCCs do not accommodate the use of new and more complex processing operations, particularly involving multiple data importers and exporters, long and complex processing chains and evolving business relationships.
The New SCCs may change following the consultation, however as currently drafted, some key aspects are as follows.
Types of transfer
As under the Existing SCCs, the New SCCs will permit controller to processor and controller to controller transfers of personal data. However, the New SCC’s will additionally allow processor to processor and processor to controller transfers. This will likely be welcomed by businesses, given the transfers permitted by the Existing SCCs are often too narrow and are not applicable to certain common international transfers (e.g. processor to sub-processor transfers).
One set of clauses
The Existing SCCs are comprised of two separate sets of clauses: one for controller to controller transfers and another for controller to processor transfers. Conversely, the New SCCs adopt a "modular" approach, wherein the terms relating to all types of transfer are set out in the same document. It will be for the parties to determine which sections of the New SCCs are most relevant to their transfer.
Whereas only two parties could enter into the Existing SCCs at one time, more than two parties can adhere to the New SCCs. Additionally, where parties have already entered into the New SCCs, a third party will now be able to subsequently accede to the New SCCs by virtue of a new docking clause. This should limit the number of separate contracts that businesses need to enter into when making international transfers.
Sufficient level of protection
The New SCCs oblige both data exporter and data importer to carefully assess whether the data importer can guarantee a sufficient level of data protection. In particular, the specific circumstances of the transfer need to be taken into account, as well as the local laws to which the data importer is subject. Businesses must also assess whether supplementary measures can be taken to protect personal data e.g. in the case of data importer, notifying the data exporter and data subject of a legally binding request from a government authority to access personal data.
Of course in light of the UK’s exit from the EU, the standard clauses are likely to be used widely when transferring personal data into the UK. It remains to be seen whether the UK will adopt the same model clauses as these revised clauses in due course.
The consultation will run until 10 December 2020, so any thoughts on the New SCCs should be communicated to the European Commission before that date here.
Once the New SCCs have been approved, businesses should be ready to replace all Existing SCCs in existing contracts with the New SCCs. The Commission has confirmed that there will be a 12 month "transition period" following the adoption of the New SCCs by the Commission, in which the Existing SCCs may continue to be used. However, following the end of the transition period, the Existing SCCs will no longer constitute an appropriate safeguard for making international transfers of personal data under the GDPR.