European Commission publishes new draft Standard Contractual Clauses

On 12 November 2020, the European Commission ("Commission") published a set of new draft standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation ("GDPR").

Background

The GDPR restricts transfers of personal data out of the EEA to a third country or international organisation unless the rights of the individuals whose personal data is being transferred can be protected by an 'appropriate safeguard', or if one of a limited number of exceptions applies. The Commission's SCCs are widely used as a safeguard which offers sufficient protection in relation to international transfers of personal data. The SCCs comprise a contract between the data exporter (based in the EEA) and the data importer (based outside the EEA), incorporating standard data protection clauses adopted by the Commission which impose data protection obligations on the data exporter and importer, and ensure that individuals are able to exercise certain rights afforded by the GDPR.

The existing SCCs come in three different sets, one for controller to controller ("C2C") relationships and two for controller to processor ("C2P") relationships (although one set is rarely relevant). These were not updated with the GDPR and still refer to the old EU Data Protection Directive. The Commission notes in their draft implementing decision that important developments have taken place in the digital economy, which have led to the use of new and more complex processing operations often involving multiple data importers and exporters. The Commission recognises the need for a modernisation of the SCCs to better reflect those realities, by covering additional processing and transfer situations, and adopting a more flexible approach.

Key takeaways

We set out below some of the key takeaways to consider:

• Structure: The new SCCs adopt a modular format, allowing organisations to include or exclude particular 'modules' depending on the transfer scenario. The new SCCs provide a module for each of the following:

  • controller-to-controller transfers;
  • controller-to-processor transfers;
  • processor-to-processor transfers ("P2P"); and
  • processor-to-controller transfers ("P2C").

  As the existing SCCs only contemplate C2C or C2P transfers, this development provides organisations with sufficient flexibility to ensure data transfers are adequately protected in the context of longer and more complex processing chains. The extended scope of the new SCCs also includes transfers where the data exporter is outside the EEA, which extends the territorial scope of the GDPR (as set out in Article 3 GDPR).

• Processor clauses: The Commission has also included a set of processor clauses which are required by the GDPR to be included in contracts between controllers and processors (Article 28 GDPR).  The new SCCs make it clear that, in the event of a conflict between the provisions of the new SCCs and the provisions of any other agreement between the parties, the terms of the new SCCs will prevail. This will likely add a layer of complexity for organisations who have already gone through the process of negotiating data protection provisions in commercial contracts, as careful legal analysis will be required in order to determine which positions may be superseded by the Article 28 terms that the Commission has drafted into the new SCCs.

• *Schrems: *the recent Schrems II decision (read our analysis here) raised a number of challenges in relation to international transfers of personal data. In what could be interpreted as a response to the Schrems case, the new SCCs contain 'supplementary measures' to address concerns around the transfer of personal data to countries which don't currently offer adequate protection. This includes a requirement to assess the laws of the importer country, a requirement for that assessment to be documented and a requirement to make that documented assessment available to a competent supervisory authority on request.

• Implementation: Organisations will have one year from the date of the implementation decision to amend their contracts to put the new SCCs in place.

Next steps

It is clear that the introduction of the new SCCs will require organisations in Europe that transfer personal data outside the EEA to undergo a significant exercise in re-papering commercial contracts, not only to update existing SCCs to put the new SCCs in place, but also to update contractual arrangements in relation to P2P and P2C relationships.

It will be important for all organisations that want to use the new SCCs as an adequate mechanism of transfer to keep a close eye on this development, to ensure preparedness for when the Commission's final implementing decision is published.

The SCCs are open for public consultation until 10 December 2020, and feedback may be submitted here.