EU Commission publishes draft new SCCs

Following the ECJ’s decision earlier this year in Schrems II, and coming just two days after the EDPB’s Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, the Commission has issued draft versions of the new standard contractual clauses (SCCs) for public consultation.

The consultation period ends on 10th December 2020 and the new SCCs are expected to be adopted in early 2021. It should be welcome news to controllers and processors that there will be more certainty.

The new SCCs are far more comprehensive than the current SCCs and bring welcome clarity and conformity with GDPR, however, some serious concerns remain for data exporters, particularly in light of the EDPB Recommendations which effectively put the burden of determining adequacy of a third country on the data exporter. Depending on the outcome of the UK adequacy decision, this will be of concern to businesses in the UK and indeed to all controllers and processors in the EU transferring data to the UK after 31st December 2020.

Transfers outside of the EU and Schrems II

Under the GDPR, controllers and processors based in the EU are responsible for ensuring the required level of protection for personal data wherever that personal data travels outside of the EU/EEA. For certain countries the Commission has made adequacy decisions, but this is a limited list of countries and notably does not include the USA. At the time of writing the UK Government is still seeking an adequacy decision from the Commission which will allow for free flow of personal data to the UK from the EU to continue uninterrupted after the end of the Brexit transition period.

In Schrems II, the ECJ upheld the validity of SCCs as an appropriate safeguard under the GDPR to ensure contractually an essentially equivalent level of protection for the transfer of personal data to a third country in respect of which there is no adequacy decision, subject to there being additional safeguards where the laws of the third country do not provide equivalent protection.

Updating the SCCs

The current versions of the SCCs were prepared significantly earlier than the GDPR and there are two versions: (1) controller to controller and (2) controller to processor transfers. Because of the limitations of the existing SCCs, data exporters have been required to develop creative and often very complex contractual constructs to ensure compliance with GDPR.

The new SCCs are closely aligned with the GDPR and provide contractual obligations for four different transfer models: (1) controller to controller, (2) controller to processor, (3) processor to processor and (4) processor to controller. At first sight, the new SCCs are well-drafted and have been developed with ease of use in mind, which will be particularly helpful for negotiations with importers who are unfamiliar with GDPR.

Another simplification is that there is one single document which operates on a modular basis. There are common rights and obligations applicable across all four categories and separate sections applicable to each of the four different categories. Liability between the parties, indemnity obligations in the case of joint liability of the parties and governing law are also addressed. This may mean that some of the more lengthy GDPR clauses which are regularly included within service provision agreements will no longer be required as the parties can rely on their contractual obligations under the new SCCs.

Security Requirements

Unsurprisingly, the draft SCCs deal with the issue of government access to data with additional requirements to address the impact of a third country's laws on the controller's or processor's contractual commitments when the personal data originates in the EU. Particular emphasis is given to the technical and organisational measures which will be taken by the importer to safeguard the security of the personal data in transit and in the third country. 

As well as extensive contractual obligations within the body of the SCCs themselves, the Annex incorporates placeholders for some of the supplementary safeguards mentioned in the EDPB's Recommendations such as requirements for certification, internal and external IT governance, pseudonymisation and encryption of data, data minimisation, testing requirements and requirements for physical security. The EDPB's Recommendations will need to be considered in parallel with the SCCs.

Are there any circumstances when SCCs will not be required?

The SCCs are effectively an “artificial” extension of the GDPR by contractual means into those territories where the GDPR does not apply. However, the GDPR has extra-territorial effect and applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where that processing relates to the offering of goods and services or the monitoring of their behaviour in the EU, regardless of whether the processing takes place in the EU. There is an argument that to require SCCs is a duplication of protection given the extra-territorial effect of GDPR. Questions may be raised during the consultation period as to whether SCCs are therefore required in these circumstances. Whether the Commission will address this issue remains to be seen.

What action should processors and controllers take now?

Until the new SCCs have been adopted, the existing SCCs will continue to apply and the draft SCCs should not be used. Once the new SCCs have been adopted, all new arrangements between data exporters and importers should adopt the new version.

In relation to existing transfer arrangements at the time the new SCCs are adopted, where contracts have been concluded before the entry into force of the new SCCs, the Commission has proposed a one year transition period for implementation of the new SCCs, during which time the parties may continue to rely on their existing SCCs.

It would nevertheless be sensible for all data exporters and importers with existing arrangements, or who are in the course of negotiating new arrangements, to start to review the technical and organisational requirements and taking into consideration the list of examples in Annex II, they should further consider whether any supplemental requirements might be required in the light of the EDPB’s Recommendations.

If the Commission does not make an adequacy decision in relation to the UK before the end of the transition period, and until the draft SCCs are adopted, organisations exporting personal data from the EU to the UK will need to adopt the existing SCCs. 

At this time there is no requirement for UK organisations exporting data to the EEA or other countries in respect of which the Commission has made an adequacy decision to take any other steps as the UK Government has stated that transfers of personal data from the UK to the EEA will be permitted.