On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).
The current SCCs were adopted by the Commission before the GDPR came into force. The CJEU's decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.
The main changes introduced by the draft SCCs are summarised below.
Extra-territorial scope: The draft SCCs offers greater flexibility. Data exporters that are subject to the GDPR but not established in the EEA may now rely on and use the draft SCCs as a valid transfer mechanism.
Flexibility: The draft SCCs provide a mechanism for additional parties to accede to the signed agreement as data exporter or data importer. This will likely be useful in the context of a group companies as once a new company joins a group, a deed of accession can be signed. This will likely decrease the amount of documentation organisations are required to enter into and keep for accountability purposes.
Modular approach: The Commission has adopted a modular approach to the draft SCCs, which includes general terms applicable to all transfers, and 'modules', which include bespoke clauses. The 'modules' of the draft SCCs cover transfers from:
- Controller to controller (C2C);
- Controller to processor (C2P);
- Processor to processor (P2P); and
- Processor to controller (P2C).
The inclusion of P2P and P2C clauses address a gap that is in the current SCCs.
Inclusion of Article 28 GDPR obligations: The Commission has incorporated obligations that are designed to comply with Article 28 requirements, to regulate C2P and P2C relationships. The proposed provisions appear to be more prescriptive than those required by Article 28 GDPR. For example, audit rights and cooperation obligations are generally commercially negotiated between the parties.
Schrems II response: The draft SCCs include provisions that directly address the Schrems II decision, including a duty to conduct (and document) a data transfer assessment. This will likely be welcomed by organisations that were waiting for official guidance on how to practically respond to the Schrems II decision. One downside is that draft SCCs impose an obligation on the parties to 'warrant' they have no reason to believe the laws of the importing country are inadequate. The Commission appears to have gone beyond the requirements of the Schrems II decision in the following respects:
- Parties are now required to review 'the laws' of the importing country, not just the surveillance laws;
- The factors to be taken into account when assessing the importing country's laws go beyond those recommended by the EDPB in its draft supplementary measures guidance and there is an implied expectation for supplementary measures to be implemented for all transfers; and
- Parties are required to use 'best efforts' in when conducting such assessments.
Unlike the EDPB in its recommendations on supplemental measures for international transfers (see more about this here), the Commission appears to allow parties to conduct a risk-based assessment of third country laws. A risk-based approach will surely be welcomed by many organisations.
Remedies: The draft SCCs include, as generally applicable clauses, joint and several liability and indemnification clauses. Such provisions cut across the parties' right to freely negotiate the liability and risk apportionment provisions in contracts and does not allow for a more tailored approach, depending on the specific circumstances and risk profile of the relevant agreement.
The consultation period is open until 10 December 2020. If you are interested in submitting your comments, you can do so by accessing this link.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.