A New Hope for Standard Contractual Clauses?
In the wake of the seminal Schrems 2 ruling by the European Court of Justice (see JurisCom contribution here), the European Commission is mulling changes to one of the few remaining options that data controllers have available to ensure compliance of their international data transfers with the GDPR (General Data Protection Regulation (EU) 2016/679)): the Standard Contractual Clauses (SCC).
There are two sets of SCCs: one that deals with international transfers of EU personal data to processors, and another that deals with transfers to controllers.
Actually, an update of these SCC is already somewhat overdue as the present sets date from before GDPR times and specifically the controller-to-processor set would require changes to comply with Article 28(3) of the new legislation. Article 28(3) of the GDPR states that any sharing of personal data by a controller with a processor requires a written contract with very specific provisions. These mandatory provisions go beyond what was required in a controller-processor relationship under the Directive. They also go beyond the provisions of the current controller-to-processor SCCs. Therefore, provisions in the revised SCCs for C2P transfers will likely resemble more closely the list of Article 28(3) of the GDPR requirements.
This means adding certain provisions and obligations on the processor that are currently missing from the SCC.
The European Commission chose not to finalize the revision process prior to the conclusion of the Schrems 2 case, recognizing that the decision could necessitate additional changes.And that is exactly what happened, as the European Court upheld the validity of the SCCs but indicated that the data controller must conduct a case-by-case assessment of the protection that SCCs can provide, taking into account the nature of the data that is transferred, country of destination and type of company to which the data is transferred.
This self-assessment approach means, in addition to a long awaited update of the SCC, a renewed focus of companies on performing transfer impact assessments on their international data streams.
It is to date unknown what the new SCCs will say on Schrems 2. According to experts, the most likely scenario is that the revised SCCs will contain an additional representation from the data exporter that it has verified and is satisfied that the law of the third country of destination ensures adequate protection under EU law for the transferred data and that the level of protection required by EU law is respected in the country of destination. There also may be an additional requirement imposed on the data importer to assist the data exporter with making this determination, if so requested by the data exporter.
While there remains a fair amount of uncertainty for companies engaged in international data transfers, it is clear they should think through the best method to update or replace the SCCs they currently have in place. Companies should also update internal training materials to reflect "the new privacy normal" following the Schrems 2 decision.
Update: In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs on September 3, Commissioner for Justice Didier Reynders expressed hope that the revision of SCC would be finalized by the end of this year.