The European Commission (EC), on 12 November 2020, published a draft adequacy decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final adequacy decision
Under the draft SCCs (set out in the Annex of the EC’s Draft) a data importer must agree to comply with various data protection obligations reflecting principles in the GDPR relating to (i) purpose limitation; (ii) transparency by providing data subjects with details of the identity of the data importer and third parties; (iii) accuracy and data minimisation; (iv) storage limitation; and (v) information security. In relation to special categories of personal data (e.g., data concerning health) the data importer must agree to apply additional safeguards adapted to the specific nature of the data and the risks. In relation to onward transfers, the data importer must not disclose personal data to a third party located outside the EU unless the third party agrees to be bound by the SCCs or another onward data transfer solution as set out in the draft SCCs applies. The exporter must warrant it has used reasonable efforts to determine that the data importer is able to satisfy its obligations under the SCCs.
The draft SCCs “combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains.” In particular, unlike the existing SCCs, the draft SCCs address transfers of personal data from either a controller or a processor in the EEA to a controller, processor or sub-processor in a third country. It will be for the parties to select the module applicable to the specific transfer, in addition to the general clauses which apply to all parties irrespective of role. The Modules are as follows: Module 1 – controller to controller transfers; Module 2 – controller to processor transfers; Module 3 – processor to processor transfers; and Module 4 – processor to controller transfers.
The draft SCCs are intended to also satisfy the requirements of Article 28(3) of the GDPR (i.e., the mandatory data processing provisions) where the draft SCCs are entered into by a controller in the EEA and a processor in a third country – provided they are not amended. Indeed, Annex II of the draft SCCs includes prescriptive examples of the technical and organisational measures to be implemented by the (sub) processor – i.e., in line with the recent draft guidance published by the EDPB on controllers and processors which requires that details on the specific security measures be included in the data processing agreement. The EC’s Draft also makes clear that draft SCCs are intended for multiple parties (i.e., not just one exporter and one importer), and additional parties are permitted to accede to the draft SCCs (for example, in the case of onward transfers) by virtue of what is referred to as a “docking clause”. The draft SCCs also expressly acknowledge the potential for incorporating the SCCs into a wider agreement (e.g., a Master Services Agreement), but provide that in the event of a conflict, the SCCs shall prevail.
In line with the CJEU’s ruling and the draft recommendations published by the EDPB, the EC’s Draft reiterates that transfers of personal data under the SCCs should only take place if the recipient third country’s laws do not prevent the data importer from complying with the SCCs. In turn, the EC’s Draft encourages parties to “provide additional safeguards via contractual commitments that supplement the [SCCs],” and emphasises the need for parties to be able to demonstrate compliance with the SCCs. In particular, the EC’s Draft requires the data importer to “keep appropriate documentation for the processing activities under its responsibility, and to promptly inform the data exporter if it is unable to comply with the [SCCs], for whatever reason.”
Importantly, the EC’s Draft provides that parties can continue to rely on the existing SCCs for a period of one year from the date of entry into force of the EC’s Draft, provided supplementary measures are implemented as necessary (i.e., in accordance with the EDPB’s draft recommendations). In turn, companies relying on the existing SCCs to legitimise their international transfers will have just one year from the date of approval to migrate to the draft SCCs – a potentially very large administrative burden for companies and something which should be considered now as part of their broader Schrems II project.