The Commission has published a draft for new standard clauses to ensure compliance with the GDPR in the light of the latest case-law of the European Court of Justice. So far, the new standard clauses are only a draft, but they provide an important insight into the future level of protection in the area of data transfers to countries outside the EU/EEA.
Background
On 12 November 2020, the Commission published a draft for new standard contractual clauses (SCC) for transfers of personal data to third countries (non-EU/EEA countries). The SCCs must be seen in the light of the ECJ's decision in Schrems-II of 16 July 2020, where the European Court of Justice ruled that transfers of personal data to third countries must ensure a level of protection that is "essentially equivalent" to the level of protection under the General Data Protection Regulation (GDPR).
According to Art. 46(2)(c) of the GDPR the Commission may adopt SCCs. The Commission has utilised this opportunity in relation to the current SCCs which are set out in Decision 2001/497/EC5 and Decision 2010/87/EU6, based on the old Data Protection Directive 95/46/EC. These can no longer provide adequate protection, and the increased digitisation has created complex processing chains that have necessitated new and more comprehensive SCCs.
The new SCCs are so far only a draft with the Commission's initial position and will not be finally adopted until after 10 December 2020, when the public consultation period expired. Although they are not definitive, they provide an important insight into what future SCCs will look like. When the final SCCs are adopted, they will repeal the two previous SCCs (2001/497/EC5 and 2010/87/EU6) but can still be used for up to one year after the entry into force of the new SCCs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
