On 12 November 2020, the European Commission published a long-awaited draft implementing decision on new Standard Contractual Clauses (SCCs) for the transfers of personal data between the EU and third countries. A four-week period has been set aside for feedback on the draft clauses. Implementation of the new SCCs is expected in 2021. So, what does this mean?
Standard Contractual Clauses (SCCs) are a widely-used mechanism to allow for the transfer of personal data from the EU to third countries in accordance with the General Data Protection Regulation ("GDPR"). The SCCs were developed under the previous data protection regime, but were not updated when the GDPR was introduced in May 2018. As a result, there have been some discrepancies and inefficiencies between the clauses and practice. These were brought to light in the Schrems II judgment, which illustrated the need to update the SCCs to safeguard data transfers and to bridge gaps between the provisions of the SCCs and the reality of how data is transferred.
In Schrems II, the Court of Justice of the European Union ("CJEU") issued its decision on the validity of two international data transfer mechanisms: (i) the "Privacy Shield" mechanism, which allowed for transfers between the EU and the US; and (ii) the SCCs, which are of more general application. The CJEU upheld the validity of the SCCs, assuring organisations whose data operations rely on such clauses that they can continue to do so. However, the Privacy Shield was found to be invalid. For more detail on this decision, click here.
Although the new SCCs were already in development, the Schrems II decision put further pressure on the European Commission to produce a more robust solution for data transfers in the form of updated SCCs.
The updated SCCs aim to:
1. Implement the Schrems II judgment
The reasoning and decision of Schrems II has influenced the drafting of the SCCs to ensure a higher level of assessment is carried out by all parties involved in the transfer. This includes considering a number of factors prior to transferring data.
2. Address the issue of whether there needs to be additional safeguards applied to data transfers that go beyond the current SCCs
The new provisions will increase the ability of data exporters to rely on the clauses without the need for the type of additional safeguards envisaged by the Schrems II judgment.
3. Address gaps in the current SCCs
The current SCCs do not address the complex ways in which personal data is transferred. These gaps are addressed by the inclusion of content for use in controller-to-controller, controller-to-processor, processor-to-sub-processor and processor-to-controller situations. The updated provisions also expressly state that they can be used by parties that are not established in the EU.
One remaining area of uncertainty relates to the addition of further terms to the SCCs. The European Commission has tried to make it clear that any supplementary clauses will be permitted provided that they do not contradict the SCCs or undermine protection for individuals; however, it remains for the parties to decide whether or not their additional clauses are compatible. The Information Commissioner's Office (ICO), in its comments on the current SCCs, has provided some suggestions of what may be permitted by way of additional clauses.
The new SCCs will replace the existing ones, and therefore organisations currently relying on SCCs for their data transfer will be required to implement the new clauses. Organisations will be afforded a one-year grace period from the approval of the new clauses for implementation purposes.
Following the end of the Brexit transition period on 31 December 2020, the UK will need to put in place measures to allow data transfers to continue between the EEA and the UK. If the UK is unable to achieve an adequacy decision from the European Commission, there will be a need for contractual formalities, meaning that many UK businesses would be required to rely on SCCs to ensure that the free flow of data can continue lawfully from 1 January 2021.
The ICO is reviewing the updated SCC provisions along with the two recommendations just published by the European Data Protection Board following Schrems II. These two recommendations update the European Essential Guarantee for surveillance measures and address the issue of additional safeguards that organisations may need to take to support international transfers. This second document is out for public consultation. The ICO has indicated it will consider whether it needs to publish its own guidance in due course.
While new SCCs will not overcome all issues with data transfers, this long-awaited news is promising.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.