On 12 November 2020 the European Commission published its proposals for new standard contractual clauses for transfers of personal data outside the EEA. In this blog we assess what the changes are and consider whether they address any of the questions raised by the recent Schrems II case.
EU data protection law was updated in 2018 through the introduction of the GDPR. However, one of the most common mechanisms for transferring personal data outside the EEA, the standard contractual clauses (SCCs), has continued to reflect the previous regime under Directive 95/46/EC.
The delay in updating the SCCs has presented some practical issues we have all been looking to solve. These include: references in the SCCs to outdated terms; the lack of legal certainty around the use of the existing SCCs; and operational issues such as the fact that the SCCs do not reflect how data is exported to third countries in practice.
In addition, the validity of the SCCs have been subject to challenge in the European Court of Justice. While the ECJ has given the SCCs conditional approval, improvements could be made to better provide for an essentially equivalent level of protection for personal data.
More data flows can now rely on SCCs
As noted by the Commission in its draft implementing decision:
"technological developments are facilitating cross-border data flows necessary for the expansion of international cooperation and international trade… it has to be ensured that the level of protection of natural persons guaranteed by [GDPR] is not undermined, including in cases of onward transfers."
Previously, only controller-processor and controller-controller exports of personal data could utilise the SCCs.
While this captures the vast majority of international data transfers, the new SCCs cover additional scenarios. The new SCCs use an innovative modular design, with two new data flows now being covered:
- processor to (sub)processor transfers; and
- (EU) processor to (non-EU) controller transfers.
The new processor to processor provisions are welcome and provide a better solution for modern supply chains where exports are often made by a processor to a sub-processor. However, these clauses will require careful use, given the need for the controller to have oversight and control over any transfers by a processor..
The addition of EU processor to non-EU controller provisions will surprise many, given that the Commission had not addressed this transfer in its previous SCCs and such transfers have gone on for many years where EU based entities act as processors for entities outside the EEA.
The processor to controller provisions are limited, with many provisions only applying where the EU processor combines personal data received from the non-EU controller with personal data collected by the processor in the EU.
However, it is surprising that the Commission's draft implementing decision does not better explain the rationale behind these modules, particularly given that these will be relevant to many EU to UK transfers if the Commission does not make an adequacy decision in relation to UK law following the expiry of the post-Brexit transition period.
In the meantime, it is unclear what the Commission expects EU processors to do (if anything) in relation to current transfers of personal data to non-EU controllers.
Do the new SCCs address the issues raised by Schrems II?
One of the principal outcomes of the Schrems II decision (see our analysis here) is that if organisations want to transfer personal data outside of the EEA to a country or territory in respect of which there is no adequacy decision, then certain "supplementary measures" may be required in addition to any Article 46 transfer tool, such as SCCs or Binding Corporate Rules. Supplementary measures are necessary where the importing country's domestic law means that there is not an essentially equivalent level of protection.
What is immediately clear is that these new SCCs do not in themselves meet the requirements laid out in Schrems II in being able to singularly ensure that transferred personal data is afforded a level of protection essentially equivalent to that under GDPR. Parties will still have to take additional and proactive steps to ensure the legal framework of the importing country does not undermine this fundamental standard. Instead, they simply include additional provisions that may assist with some supplementary contractual measures.
For example, under the the SCCs the parties warrant that:
- they have no reason to believe the laws in the importing country do not prevent the importer from otherwise fulfilling its obligations under the rest of the Causes; and
- such laws respect the essence of fundamental rights and freedoms and do not exceed what is necessary and proportionate,
However, the accompanying Commission draft implementing decision confirms it is still incumbent on parties to take a proactive approach to assess the suitability of international transfers on a case-by-case basis.
The parties also warrant that they have undertaken the diligence exercise for assessing third country suitability, as set out by the ECJ taking into account the specific circumstances of the transfer. As such, the SCCs cannot to be relied upon in isolation nor are they in themselves "cure" the issues identified in Schrems II.
In many instances supplementary technical or organisational measures will also be required. In some cases a transfer may simply not be possible.
See our recent blog on the draft European Data Protection Board guidance on supplementary measures.
Are there any other changes?
The rights of data subjects as third-party beneficiaries have also been tightened.
This again links to Schrems II, where the Court stated that data subjects must have enforceable rights and effective legal remedies against all parties involved in the processing of their data. In the updated SCCs data subjects can enforce the SCCs (subject to some exclusions) against either the importer or exporter. Previously data subjects could only pursue the importer if the exporter had disappeared or ceased to exist in law.
In line with the focus of the Commission to keep the law fit for purpose in the modern digital economy, there is a welcome acknowledgement that data sharing activities may involve multiple importers and exporters. In order to be able to reflect evolving business relationships, the new SCCs can therefore be entered into by more than two parties, with the ability for additional parties to accede to the SCCs during the term of the contract.
How long will we have to implement the new SCCs?
Once the consultation closes and the draft SCCs are formally adopted, there will then be a one-year grace period in which organisations can still use any previous SCCs already in place.
However, the Commission statement makes clear that this does not, even from today, alter the requirement to implement any other additional safeguards required to make an international transfer of personal data compliant with Article 46(1).
What about Brexit?
The UK will become a third country for the purposes of EU data protection law following the expiry of the post-Brexit transition period at 11pm on 31 December 2020. From that point, decisions from the Commission will cease to apply in the UK.
Any final decision by the Commission in relation to the new SCCs will not be made until well into 2021.. This means it will be for the UK Government to decide whether adopt these EU Commission SCCs or develop bespoke UK SCCs.
Unless and until replacement SCCs are specified by the Secretary of State, data exporters in the UK will continue to be able to rely upon the current SCCs.
The Commission's draft SCCs and draft implementing decision are open for feedback until 10 December 2020. You can provide feedback on the Commission website.
You can find out more about Brexit and data protection in our handy guide.