Inspired by GDPR, Schrems II and “No Deal Brexit”
The update of the SCCs has been long awaited as the current SCCs predate the GDPR and have not been updated to reflect the impact of the GDPR on personal data transfers to third countries.
The SCCs have recently become especially relevant for transatlantic transfers, since the US-EU Privacy Shield – a widely used framework for data transfers from the EEA to the US – has been invalidated in the Schrems II judgment of July 2020. Finally, the impending ‘No Deal Brexit’ has also probably impacted this timing, as the UK is not deemed to provide adequate protection and therefore, any transfer of personal data from the EEA to the UK from 1 January 2021 onwards would need to be performed under the former SCCs (or under Binding Corporate Rules (BCRs)), which had not yet been updated for the GDPR.
Even if the new SCCs have not been adopted yet, they provide an update to the existing SCCs and are therefore more compliant with the GDPR than the existing SCCs. Moreover, the final versions of these SCCs will very likely not differ substantively from the current versions. In terms of timing, any agreements containing the existing SCCs that are signed now will have to be signed again with the new SCCs in a year.
Process and timing
Two sets of draft SCCs have been published: one for transfers between EEA and third countries (discussed below) and one for transfers intra EEA. In terms of process, the draft SCCs are now open for public consultation until 10 December 2020 and have been sent to the European Data Protection Board (EPDB) and the European Data Protection Supervisor (EDPS – a kind of data protection authority for the EU institutions) for their opinion. After taking into account any feedback it may receive, the European Commission will adopt the final clauses once they have been approved by the Member States’ representatives. In terms of timing, the EDPB and EDPS have been consulted beforehand during the drafting process and will probably not have substantive remarks. If nothing major comes out of the public consultation or from the Member States’ representatives (who have most probably been consulted beforehand too), the final SCCs could be published before the end of the year and in time for implementation in EEA – UK data transfers, according to the European Commission’s ambition. There are, however, many “ifs” and it’s not impossible that the timetable shifts a little bit and that we don’t see the final SCCs until early next year.
Parties may continue to rely on the existing SCCs for one year after the date of entry into force of the new SCCs if the existing SCCs were signed before that date (of entry into force of the new SCCs). However, if, during this one year period, relevant changes are made to the contract, the new SCCs should be signed. For instance, if the new SCCs are adopted on 11 December, then, the existing SCCs remain valid until 11 December 2021 if they have been signed before 11 December 2020.
Substance (main changes) of the draft SCCs EEA-third country
- Modernised structure of SCCs:
- To take into account new ways of transferring personal data (not limited to controller to controller or controller to processor), the SCCs are articulated in four so-called modules covering more relations (controller to controller, controller to processor, processor to processor and processor to controller). These modules work as building blocks to adapt the SCCs to different situations.
- Another update that reflects the pragmatic approach of these draft SCCs is the ‘docking clause’, which allows new contracting parties to be added to the SCCs after initial signing.
- Updates relating to the Schrems II decision (Clause 2):
- Warranty of both parties that the data importer can fulfil its obligations under the SCCs, taking into account the laws in the third country.
- Obligation of the data importer to notify if this is no longer the case.
- In the latter situation, obligation of the data exporter to suspend or take appropriate measures.
- Obligation of the data exporter to document the impact assessment of the data transfer.
- Obligations of the data importer in case of government access requests (clause 3).
- Integration of data processing principles inspired by the GDPR(Clause 1).
- Integration of data subject rights inspired by the GDPR (clause 5).
The European Data Protection Board (EDPB) guidance for data transfers to third countries
On 11 November 2020, the EDPB has published recommendations on supplementary measures, and on essential guarantees.
The Schrems II decision determined that companies can continue to use SCCs, but they must first assess whether the laws in the country receiving the data don’t impinge on the obligations for data protection that would make complying with the SCCs impossible. If this is not the case (the data importer cannot fulfil its obligations), the data exporters need to add supplementary measures to the SCCs. The recommendations on supplementary measures and essential guarantees published by the EDPB are to assist data exporters in applying the Schrems II decision in practice.
The EDPB provided a step-by-step roadmap for assessing and protecting the data transfers to third countries, as well as non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective. In addition, in the case of possible surveillance by public authorities in the importing country, the EDPB also issued essential guarantees, which provides data exporters with elements to determine whether said surveillance impinges on the commitments of the used transfer tool (such as the SCCs) the data exporter and importer rely on.