On 12 November, the European Commission published two sets of documents:
- a draft of the new standard contractual clauses for transfers of personal data from the European Union to third countries ("New SCCs"); and
- a draft of standard contractual clauses that can be used by controllers when engaging processors located in the European Union ("Article 28 Clauses").
Once approved, the New SCCs will replace the previous standard contractual clauses used by organisations as an appropriate safeguard for making international transfers of personal data under the General Data Protection Regulation 2016/679 ("GDPR").
Based on the draft implementing decision, businesses will have twelve months from the date the New SCCs enter into force to replace any existing standard contractual clauses currently being relied upon to conduct international transfers of personal data with the New SCCs. It is to be expected that the New SCCs will be adopted by the European Commission at the beginning of 2021.
As a result, businesses will need to undertake a remediation project to assess their data transfer arrangements and replace their existing network of standard contractual clauses with the New SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the EEA in compliance with the GDPR.
The 28-page New SCCs use a modular approach where specific sets of clauses can be used not only for controller-to-controller and controller-to-processor transfers, as is the case today, but also for processor-to-processor and processor-to-controller personal data transfers. The New SCCs now contain an optional Docking Clause, whereby new parties may accede to the New SCCs, either as a data exporter or a data importer, at any time by way of executing a specific Annex.
The New SCCs are more comprehensive than the previous sets. On the one hand, they reiterate the legal requirements introduced by the GDPR in 2018, such as increased transparency obligations of the parties and strengthened data subject rights. On the other hand, the New SCCs also aim to address some of the new requirements arising from decision of the European Court of Justice earlier this year which invalidated the EU-US Privacy Shield and required parties using the standard contractual clauses to assess if the personal data transferred to countries outside of the EEA would be afforded an adequate level of data protection according to the GDPR requirements (for a further analysis of the judgment see our client alert and further commentary).
In particular, the New SCCs reinforce the obligation of data exporter and data importer to conduct a comprehensive assessment to determine whether the data importer in the third country, if it has not been recognised by the European Commission as offering an adequate level of data protection, can actually guarantee an adequate level of data protection as stipulated by the GDPR and the New SCCs. The New SCCs stipulate that in order to do this, the specific circumstances of the transfer need to be taken into account, as well as the laws of the state where the recipient of the personal data is located, especially with regards to access by public authorities to the transferred personal data. Businesses must also assess whether supplementary measures can be taken to protect personal data in the third country (for more information about the assessment required and the supplementary measures see our client alert on the European Data Protection Board's Recommendations 01/2020).
The data importer will be obliged to notify, where legally possible, the data exporter and the affected data subjects, if it receives a legally binding request from a public authority to disclose personal data transferred pursuant to the New SCCs, or if it becomes aware of any direct access by public authorities. Furthermore, the data importer will be required to exhaust all available remedies to challenge the access request if it concludes that there are grounds under the local laws to do so.
Helpfully, the adoption of the New SCCs between a controller located in Europe and a processor located outside of Europe will also replace the need for the controller to impose separate contractual measures on the processor to comply with the controller's obligations under Article 28 of the GDPR.
Article 28 Clauses
Alongside the New SCCs, the European Commission has also published draft standard contractual clauses between controllers and processors located in the European Union. These contain clauses that a controller can impose on the processor to satisfy the contractual requirements that the controller is obliged to impose under Article 28 GDPR.
The use of the European Commission-approved Article 28 Clauses will not be compulsory and businesses may continue to use bespoke data processing agreements between controllers and processors to satisfy the requirements of Article 28 GDPR.
The New SCCs and Article 28 Clauses are currently open for public consultation until 10 December 2020 and also await feedback from the European data protection authorities.