The European Commission has, today, published its draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries (the “Draft SCCs”) which will be open for feedback until 10 December 2020. This follows what has already been an interesting week for data protection after the EDPB adopted its Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (more information on the Recommendations can be read here). Coincidence that both the Draft SCCs and Recommendations were published in the same week? Unlikely, but both are very welcome publications following the decision by the CJEU in the Schrems II case.
The Draft SCCs have been in the pipeline since the implementation of the GDPR in May 2018 as the existing SCCs pre-date the GDPR quite significantly. Key takeaways from the Draft SCCs at this stage are as follows:
- GDPR Updates: as was necessary, the Draft SCCs now conform much more closely to the principles, obligations and rights of the GDPR. As discussed further below, the applicability of the provisions differs depending on the capacities of the parties transferring the data (i.e. the differing “Modules”). However, that said, a clear theme can be read into provisions of the Draft SCCs: they seek to capture the key obligations and principles of the GDPR and formulate contractual obligations therefrom which are then imposed on the parties, as appropriate. For example, there are several provisions related to transparency, security and data minimisation, all of which are key pillars of the GDPR. An important point with respect to creating contractual obligations from principles and obligations of the GDPR is that they will bind those importers, where relevant, that may not be subject to the GDPR directly by virtue of Article 3(2).
- Transfer Relationships: the Modules, as referred to above, are a great improvement of the Draft SCCs. Firstly, it appears the Draft SCCs will be the only version available for use, unlike currently where two versions are available depending on the nature of the transfer. Secondly, the Draft SCCs take into consideration that personal data can be transferred from a processor to a sub-processor, and from processor to a controller. These are transfers which are not addressed in the existing SCCs and have led to much confusion and debate, particularly over recent years with international transfers becoming so common.
- Security Requirements: as was likely given the importance of security under the GDPR, the Draft SCCs put particular emphasis on the need to ensure personal data is kept secure whilst in transmission and once it has been received in the third country. This can be seen both from the provisions in the body of the Draft SCCs and also in Annex II (Technical and Organisation Measures) within which a long list of exemplary security measures are included. By providing examples of this nature, it provides a clear indication of the level of security that is expected by the parties wishing to transfer personal data.
- Schrems II Influence: whilst it isn’t known when the Draft SCCs were finalised, it is apparent that they take into account the decision of the CJEU in Schrems II. For example, clause 2, which applies to all Modules, requires the parties to warrant that they “have no reason to believe that the laws in the third country…, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.”, and goes on to essentially require the parties to confirm that they have undertaken the necessary analysis into whether the laws and practices of the third country provide equivalent protection and, if not, that additional safeguards have been implemented. Secondly, clause 3 requires the importer to “promptly” notify the exporter and, where possible, the data subject, if it has received a legally binding request from a public authority for personal data, or has become aware of direct access to personal data by a public authority. Notifying data subjects has been in discussion over recent months as a possible supplementary contractual provision that could be put in place to provide further protection, where necessary, when using the existing SCCs.
As noted, the Draft SCCs are open for consultation until 10 December 2020 and it is, at the time of writing, difficult to gauge the degree to which the Draft SCCs will be further amended. Based on the form proposed, in our view, it seems unlikely the Draft SCCs will go through significant further amendment. Given the relatively short consultation timeline, the Commission appears to be pushing for confirmation and adoption of the new SCCs before the end of 2020; however, that remains to be seen, and we will continue to report on their progress.