The (draft) updated SCCs: A new hope for international data transfers?
The recent Schrems 2 ruling by the European Court of Justice has caused many a data protection officer some sleepless nights. In particular those privacy professionals advising multinational companies on how to best handle their international data transfers from the EU to the US may feel as if they are partaking in a poor rendition of Agatha Christie's 'Ten Little Soldiers' as first Edward Snowden and then Max Schrems laid siege to whatever comfort the European Commission tried to offer to the transfer of personal data across the pond as required by business interests.
With both Safe Harbour and the Privacy Shield referred to the proverbial shredder by Luxembourg, the so-called standard contractual clauses are among the few appropriate safeguards still standing (in the absence of the adequacy decision 'green card') when faced with international data transfers. But Schrems 2 made it clear that also these standard clauses are overdue for an update.
On 12 November 2020, the European Commission published a draft Implementing Decision on updated standard contractual clauses for the transfer of personal data to third countries (SCCs). Once approved, the SCCs will replace the previous standard contractual clauses used by organisations as an appropriate safeguard for making international transfers of personal data under the General Data Protection Regulation 2016/679 ("GDPR").
Based on the draft implementing decision, businesses will have twelve months from the date the SCCs enter into force to replace any existing standard contractual clauses currently being relied upon to conduct international transfers of personal data with the SCCs.
It is to be expected that the updated SCCs will be adopted by the European Commission at the beginning of 2021.
As a result, businesses will need to undertake a remediation project to assess their data transfer arrangements and replace their existing network of standard contractual clauses with the SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the EEA in compliance with the GDPR. The 28-page SCCs use a modular approach where specific sets of clauses can be used not only for controller-to- controller and controller-to-processor transfers, as is the case today, but also for processor-to-processor and processor-to-controller personal data transfers. The SCCs now contain an optional Docking Clause, whereby new parties may accede to the SCCs, either as a data exporter or a data importer, at any time by way of executing a specific Annex.
The SCCs are more comprehensive than the previous sets. On the one hand, they reiterate the legal requirements introduced by the GDPR in 2018, such as increased transparency obligations of the parties and strengthened data subject rights. On the other hand, the SCCs also aim to address some of the new requirements arising from decision of the European Court of Justice earlier this year which invalidated the EU-US Privacy Shield and required parties using the standard contractual clauses to assess if the personal data transferred to countries outside of the EEA would be afforded an adequate level of data protection according to the GDPR requirements.
In particular, the (updated) SCCs reinforce the obligation of data exporter and data importer to conduct a comprehensive assessment to determine whether the data importer in the third country, if it has not been recognised by the European Commission as offering an adequate level of data protection, can actually guarantee an adequate level of data protection as stipulated by the GDPR and the SCCs.
The SCCs stipulate that in order to do this, the specific circumstances of the transfer need to be taken into account, as well as the laws of the state where the recipient of the personal data is located, especially with regards to access by public authorities to the transferred personal data. Businesses must also assess whether supplementary measures can be taken to protect personal data in the third country.
The data importer will be obliged to notify, where legally possible, the data exporter and the affected data subjects, if it receives a legally binding request from a public authority to disclose personal data transferred pursuant to the SCCs, or if it becomes aware of any direct access by public authorities. Furthermore, the data importer will be required to exhaust all available remedies to challenge the access request if it concludes that there are grounds under the local laws to do so.
In summary, the SCCs endeavour to remove some of the long shadows cast by Snowden and Schrems (1 and 2) on international data transfers to (let us be honest) primarily the United States by imposing GDPR-like obligations on data importers and thus, via a contractual tool extending the territorial scope of GDPR principles.
But it is fair to state that the introduction of the SCCs will provide for job security of lawyers and privacy professionals alike, as parties will need to step up their game in order to resign agreements, provide enhanced transparency to data subjects and to flow down new terms to third parties and sub-processors within the one year transition period and beyond.