The European Commission recently published its new draft Standard Contractual Clauses (SCCs) for international transfers of personal data to third parties located outside of the EEA.
The new SCCs have been expected for some time in light of the coming into force of the GDPR. The existing set of SCCs were implemented under the former Data Protection Directive 95/46/EC and still referenced that regime. The delay was due to the European Commission reconciling the new SCCs with the decision of the European Court of Justice in Schrems II.
Whilst the new SCCs align with the GDPR, address the Schrems II decision, and directly incorporate some of the European Data Protection Board (EDPB) Recommendations on Supplementary Measures (01/2020), they are not a catch-all solution for international data transfers. Parties will still be required to undertake a risk assessment, and adopt supplementary measures (where necessary), to ensure the effectiveness of the new SCCs in the third country concerned. Where the new SCCs and supplementary measures do not provide an adequate level of protection in the third country, then companies will be obliged to suspend and/or terminate the transfer.
We have set out below the key highlights of the new SCCs:
- Scope: The SCCs cater for four different international transfer scenarios in one document, including, controller to controller, controller to processor, and also for the first time, processor to sub-processor and processor to controller transfers. The SCCs may be used by EU controllers and processors when exporting personal data to controllers and processors established in a third country. They may also be used by non-EU controllers and processors that are subject to the GDPR pursuant to Article 3(2), because they target data subjects in the EU.
- Grace Period: The SCCs will repeal and replace the current controller to controller SCCs (Decision 2001/497/EC, as amended) and the controller to processor SCCs (Decision 2010/87/EC). Companies will have a one-year grace period to replace their existing SCCs with the new SCCs (provided the current SCCs remain unchanged, with the exception of necessary supplementary measures). This will inevitably be an enormous task for many companies. Compliance with the new contractual commitments will also involve significant effort.
- GDPR alignment: The SCCs align with the GDPR, in particular by including the contractual obligations that must be imposed on processors pursuant to Article 28(3) and (4) GDPR. Both controllers and processors are also required to be able to demonstrate their compliance with the SCCs in line with the GDPR’s accountability principle.
- Multi-Party Use – The SCCs may be used by multiple parties, thereby limiting the number of separate contracts companies must sign. There is an optional ‘docking clause’ which allows additional controllers and processors to join as data exporters or importers throughout the life cycle of the SCCs, by way of executing an Annex to the SCCs.
- Onward Transfers – The SCCs allow onward transfers by the data importer to a recipient in another third country only if such recipient accedes to the SCCs or another transfer tool, or the continuity of protection is ensured otherwise.
- Additional Clauses: As is currently the case, the SCCs cannot be modified, however the data exporter and importer are free to include the new SCCs in a wider contract, and to add other clauses or safeguards, so long as they do not conflict with the SCCs or prejudice the rights of data subjects.
- Addressing Schrems II: The SCCs include extensive obligations to address the Schrems II decision. In particular, the parties are required to warrant that they have no reason to believe that the laws in the third country prevent the data importer from fulfilling its obligations under the SCCs. In providing this warranty the parties declare that they have carried out a risk assessment of the transfer, taking into account, in particular: (i) the specific circumstances of the transfer (including, factors such as the nature of personal data, purpose, scale and regularity of the transfer; type of recipient; and whether the data importer has received any prior disclosure requests from law enforcement authorities); (ii) the laws of the third country, including those requiring disclosure of personal data to public authorities; and (iii) any safeguards such as technical or organisational measures applied during transmission and to processing in the third country. The parties are required to document their risk assessment and make it available to the competent data protection authority (DPA) on request.
- Incorporation of EDPB Recommendations: The SCCs also directly incorporate some of the EDPB Recommendations on Supplementary Measures (01/2020). For example, the SCCs require data importers to review the legality of any requests for disclosure from law enforcement authorities in the third country, and to challenge the request, if there are grounds under the laws of the country of destination to do so. The data importer is also required to provide the minimum amount of information permissible when responding to a disclosure request.
- Retention of existing SCCs: The SCCs retain certain contractual obligations from the existing SCCs including, for example, the data importer’s obligation to notify the data exporter of any inability on the part of the importer to comply with the SCCs, and the data exporter’s obligation to notify the competent DPA if it decides to continue the transfer after receiving such notice.
- Governing law and jurisdiction: The parties are allowed to choose the law of one of the Member States as governing the SCCs, however such law must allow for third party beneficiary rights, so that data subjects can invoke and enforce the SCCs. Parties can also choose the jurisdiction, but legal proceedings may also be brought by a data subject against the data exporter and/or importer before the courts of the Member State where the data subject resides.
- Liability and Indemnification: Where a data subject suffers material or non-material damage as a consequence of any breach of his/her third party beneficiary rights under the SCCs, he or she is entitled to compensation. This is without prejudice to any liability of the data exporter under the GDPR. Where one party is held jointly and severally liable for a breach of the SCCs together with another party, it is entitled to claim back that part of the compensation corresponding to their part of responsibility for the damage. This is in line with the liability provision in Article 82 GDPR.
The draft SCCs are subject to a public consultation until 10 December 2020. The final SCCs will likely be adopted by the European Commission in early 2021. Companies will need to assess their current data transfer arrangements and replace all existing SCCs with the new SCCs, before the one year grace period expires.