European Commission publishes new draft SCCs for consultation
19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism. The most widely used mechanism is the standard contractual clauses (SCCs), as adopted by the European Commission in 2010 (for controller-to-processor transfers) and 2004 (for controller-to-controller transfers).
On 12 November 2020, the European Commission published updated draft SCCs for consultation (New SCCs). This was timely – in its ‘Schrems II’ judgment in July 2020 the CJEU not only invalidated the EU-U.S. Privacy Shield, but at the same time reminded data exporters that SCCs are not a paper-exercise panacea for sending personal data outside the EU, but rather a tool to help data exporters (and data importers) to assess the impact of transferring personal data and then to put in place any necessary safeguards to ensure that transfers are only carried out where the data will benefit from a level of protection which is ‘essentially equivalent’ to that afforded within the EEA. The New SCCs have been drafted with a view to helping data exporters both to undertake the impact assessment and to put in place any necessary safeguards.
So what changes will the New SCCs make?
- Currently we have two sets of SCCs, one for controller-to-controller and one for controller-to-processor data flows. The New SCCs contain modular clauses enabling them also to be used for processor-to-sub-processor and processor-to-controller transfers.
- The New SCCs include a ‘docking clause’ which enables additional controllers and/or processors to sign up as parties to an existing agreement.
- Following the Schrems II judgment in July 2020, data exporters are required, prior to a transfer to a non-EEA country, to assess the law and practice of that country to determine whether the level of data protection is ‘essentially equivalent’ to that provided in the EU – a transfer impact assessment. Data importers must use best endeavours to help with the transfer impact assessment and, where possible, seek waivers from local authorities of any restrictions on the data importer’s ability to notify the data exporter about government requests.
- The obligations of non-EEA controllers are extended, including obligations to:
- Provide more information to data subjects, including the data importer’s contact details.
- Notify the data exporter, the data subjects and the supervisory authority of significant data breaches.
- Establish and maintain more detailed documentation.
- Non-EEA processors are also subject to expanded documentation and data breach notification obligations.
- Data importers must pass their New SCC obligations through to any sub-processors or other third parties with whom the data importer shares the personal data, as listed in Annex III to the New SCCs. The data importer is required to submit to the jurisdiction of the applicable EU supervisory authority.
- The rights of data subjects are strengthened, including the right to make non-material damage claims. The data exporter and data importer are jointly and severally liable to the data subject.
- If a data importer is subject to a governmental request to access personal data, the New SCCs specify:
- What information the data importer must provide to the data exporter.
- The steps the data importer must take if it is restricted by law from providing such information to the data exporter.
- The data importer’s obligations to challenge the request.
- Annex II provides examples of technical and organisational measures that can be implemented to ensure an appropriate level of data protection, including pseudonymisation and encryption of personal data to protect it not only while at rest but also when in transit.
What happens next?
Although the European Commission has not proposed a date from which the New SCCs will be effective, it is likely to be a matter of weeks rather than months from the end of the consultation period (10 December 2020). Controllers will then have a one-year period to migrate their data transfers from the existing SCCs to the New SCCs.