Updated SCC: a new suit for your international data transfers
Updated: Jun 5, 2021
UPDATE: On 4 June 2021, the European Commission issued the modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
Importantly, the implementing decision foresees in a dual transition period:
- for a period of 3 months after its entry into force, data exporters and importers are allowed to continue using the "old" SCC, also in new data processing agreements; and
- for an "additional" period of 15 months thereafter (so 18 months counting as of the entry into force), importers and exporters can continue to rely on the old SCC - which means that all such clauses should be phased out a year and a half from the twentieth day following its publication in the Official Journal of the EU (still forthcoming).
UPDATE 2: Also read our contribution on the new SCC for data controllers and data processors within the EU/EEA here.
November 2020 was a busy month for privacy professionals. Days after the publication by the European Data Protection Board (EDPB) of its Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, the European Commission published its long anticipated draft implementing decision updating the standard contractual clauses that would help businesses navigate the treacherous seas of international data transfers post Schrems II.
Since then, despite a vivid public consultation period and a ton of commentary on the new draft SCC (including a much debated joint opinion of the EDPB and the EDPS), the privacy world has been waiting for the formal adoption of the tool that everyone hopes will take away some of the uncertainty that the “Schrems II” ruling by the Court of Justice of the European Union has created in relation to the correct application of Article 46 GDPR.
The European Commission’s proposal (finally) recognises and accommodates (to a certain extent) the complexity of today’s data processing chains. Specifically, the draft implementing decision presents three important changes that may constitute the equivalent of a "brand new suit" for international data transfers going forward:
First, it explains the SCCs laid out in the Annex are modular. The Annex includes clauses pertinent to four different transfer scenarios in one document so the parties can tailor their contracts to the unique context of their transfers and processing chains.
Second, the reference to scenarios alludes to the European Commission’s inclusion of contractual provisions for four transfer scenarios:
The first two scenarios are accommodated by currently available SCCs, but the second two are not.
Many stakeholders on either side of the Atlantic have pushed for SCCs that can be used in these situations, particularly given the extent of transfers from processor to subprocessors.
Third, the European Commission’s draft indicates that more than two parties can adhere or accede to a single set of contractual clauses, potentially limiting the number of separate contracts companies must sign when onboarding new vendors or service providers, currently an onerous task.
Furthermore, the European Commission gets off the fence on what supplementary measures are required post Schrems II in addition to the adoption of (new) SCC to ensure that international data transfers meet the high standards of privacy protection that the GDPR mandates. On this point, the implementing decision will become an important reference, to be read together with the EDPB recommendations on this topic. Importantly, the draft decision explains additional requirements to address the impact of a third country’s laws on the controller’s or processor’s contractual commitments are necessary when the data at issue originates in the EU and not when the controller is the importer and receiving back only the data it originally sent for processing.
Finally, the implementing decision offers a potentially landslide change to the interpretation of Article 45 and 46 GDPR. Whereas until present, international data transfers have always been reviewed from a territorial perspective (i.e. if data leaves the EEA and travels to a third country), the draft decision opens a perspective for a more jurisdiction based approach as it alludes to the possibility that the draft SCCs are meant to be used (and are perhaps needed only) when the “data importer” is not directly subject to the GDPR itself. In other words, the commission’s draft could mean that data transfer mechanisms may not be needed when personal data is transferred to a company outside of the EU that is already subject to the GDPR under Article 3(2) (which includes GDPR applicability to companies physically located outside of the EU but monitoring or directing goods and services to EU data subjects). If confirmed in the final text, the implementing decision may put to bed a debate that started with the GDPR's adoption in May 2018 on how to approach the interrelation between its Chapter V on international data transfers and its extraterritorial scope as stated in Article 3(2).
In any event, the formal adoption of the new SCC will mean more work for privacy professionals across the pond as present data processing agreements will have to be updated, likely within a one year grace period.
Considering that the new, modular approach to SCC means there are many more data points to customise, this exercise will likely prove more than a "check the box" as companies presently copy pasting the European Commission's text (sometimes without much discernment) will have to take a closer look at precisely which set of SCC options to select for their purposes.