On November 12, 2020, the European Commission (“EC”) published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries pursuant to the General Data Protection Regulation EU 2016/679 (“GDPR”), along with the draft set of new SCCs (collectively, the “Cross-Border SCCs”).
Unlike the existing sets of SCCs, which apply only to two types of transfers originating in the European Economic Area (“EEA”) (controller-to-controller and controller-to-processor), the proposed Cross-Border SCCs adopt a modular concept that cater to various transfer scenarios and the complexity of modern processing chains:
While existing SCCs address the first two of the above scenarios, organizations have struggled with the latter two scenarios for quite some time now (at least since GDPR went into effect), and SCCs that address these may be a welcome addition for these organizations. Furthermore, the EC indicates that a single set of SCCs may be utilized by more than two (2) parties, greatly reducing the number of agreements that organizations need to enter into when onboarding new vendors or service providers (or when they have to replace the existing SCCs with these new Cross-Border SCCs).
The Cross-Border SCCs also contain several new obligations, some of which include:
Alongside the Cross-Border SCCs, the EC also published draft SCCs between controllers and processors located in the EEA containing clauses a controller can impose on its processor to satisfy the controller’s contractual requirements that the controller is obliged to impose under Article 28 of the GDPR. The use of these Article 28 Clauses will not be compulsory, and businesses may continue to use tailored data processing agreements to satisfy Article 28.
The Cross-Border SCCs address the challenges following the Schrems II decision by the European Court of Justice in July 2020. These new SCCs include language that explicitly outline how the data importer is supposed to react if the laws that apply to the data importer interfere with its ability to comply with the clauses, particularly when government authorities issue binding requests for access to personal data. The EC’s draft decision also addresses additional requirements to address the impact of the importing country’s laws on the parties’ contractual commitments, and indicates that these may only be necessary when the data originated in the EEA but not when the controller is the importer and only getting the data it originally sent to the processor for processing. The statement appears to stealthily suggest that the requirements of GDPR may only apply to individuals in the EEA, and not individuals in other countries who interact with companies that are otherwise subject to GDPR. In addition, the decision suggests that these Cross-Border SCCs are applicable when transferring personal data between an entity that is directly subject to the GDPR and an entity that is not directly subject to the GDPR.
Both the EC’s decision and the proposed Cross-Border SCCs describe three ways in which the parties must address the effect of foreign laws on the level of protection provided by the SCCs:
The Cross-Border SCCs are open for public consultation until December 10, 2020. Once approved, these clauses will replace the previous SCCs used by organizations as an appropriate safeguard for making international transfers of personal data under the GDPR. The final SCCs are expected to be adopted in early 2021. Organizations will have twelve (12) months from the date the Cross-Border SCCs enter into force to replace any existing SCCs currently being relied upon to conduct international transfers of personal data with the Cross-Border SCCs.
However, organizations should begin to understand the scope of its existing SCCs that may need to be revisited as a result of the new SCCs (especially those that more directly address the processor-processor or processor-controller scenarios), and should be prepared for potentially heated discussions when trying to incorporate the details of the additional measures described by the EDPB Recommendations.For questions or additional information on this topic, please contact any of the authors or your Foley relationship partner.