On 12 November 2020, the European Commission published a draft Implementing Decision on new Standard Contractual Clauses for the transfer of personal data to third countries.
The CJEU judgement in the Schrems II case has brought to light some deficiencies in the current guarantees applied to international data transfers. Apart from invalidating the Privacy Shield, the Court stipulated that additional measures are required when using Standard Contractual Clauses (SCCs) in order to ensure that the data subjects are granted a level of protection essentially equivalent to the one guaranteed by the GDPR and the EU Charter of Fundamental Rights.
You can learn more about the business implications of Schrems II decision in our blog.
In response to the caveats pointed out by the CJEU with regard to the use of SCCs for making international transfers, the European Commission published a draft implementing decision containing a draft new set of SCCs for transfers of personal data to third countries, which includes five main changes in relation to the current clauses (approved under the Directive 95/46/EC):
- Modular approach to cover various transfer scenarios, including processor-controller and processor-sub-processor international data transfers.
- More than two parties could adhere to the SCCs and additional controllers and processors should be allowed to accede to them throughout the life cycle of the contract.
- Additional safeguards should be provided to ensure a level of protection of the personal data essentially equivalent to the one granted by the GDPR.
- Data subjects should be provided with a copy of the SCCs upon request and they should be informed of any change of purpose and of the identity of any third party to which the personal data is disclosed.
- The data importer should inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints or requests.
Modular approach and territorial scope
The draft of new SCCs aims to address some gaps of the current SCCs, such as the limitation of the type of data transfers that can be made under their provisions. While the current SCCs are designed for international data transfers from EU controllers to non-EU/EEA controllers and international data transfers from EU controllers to non-EU/EEA processors, the proposed new ones combine general clauses with a modular approach which would allow controllers and processors to select the module applicable to their situation and tailor their obligations to their corresponding role and responsibilities. In terms of territorial restrictions, the new SCCs do not require the data exporter to be established in the EEA, which also increases the number of scenarios that may be covered by this safeguard.
The new SCCs stipulates some obligations that the parties should meet for the purpose of ensuring an adequate level of data protection. The additional measures imposed by the new SCC include, inter alia, the following:
- Application of additional requirements to address how to deal with binding requests from public authorities in the third country for disclosure of personal data.
- Risk assessment undertaken by the data exporter to determine whether there are any reasons to believe that the laws applicable to the data importer are not in line with the requirements laid down in the SCCs. To this end, some key elements should be taken into account, namely:
- Duration of the contract.
- Nature of the data transferred.
- Type of recipient.
- Purpose of the processing.
- Any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred.
- Laws of the third country of destination relevant in light of the circumstances of the transfer.
- Technical and organisational measures applied during transmission and to the processing of the personal data.
- Obligation of the data importer to notify the data exporter and the data subject about any legally binding request issued by a public authority under the law of the country of destination for disclosure of personal data or about any direct access by public authorities to the personal data.
Once these SCCs have been approved, they will replace the current ones. A one year grace period will be granted for parties to put the new clauses in place. During this period, transfers can continue to be made on the basis of current SCCs, unless those contracts are changed. If the contracts are changed, then the parties lose the benefit of the grace provision and must move to the new clauses. If parties change existing contracts in order to introduce additional safeguards, as required by Schrems II, then they can still benefit from the grace period provision.
The draft is open for feedback until 10 December 2020.
Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing. Contact us today.