New Draft SCCs for International Data Transfers

Businessprivacy
Written By

Following the Schrems II decision that the US Privacy Shield is no longer an adequate safeguard for data transfers between the US and the EU, concerns have been raised over the effectiveness of the European Commission’s Standard Contractual Clauses (SCCs).

Now, the European Commission has released a new draft version of the SCCs open for consultation until 10 December 2020.

So, what do these new SCCs contain, and what do businesses need to do to prepare?

What are SCCs?

Standard contractual clauses are a set of model contract clauses to be used between parties engaging in a data transfer, in order to ensure both parties follow the obligations they have under the GDPR and ensure an adequate level of protection under the GDPR. For an analysis of the existing SCCs and when to use them, check out our article here!

Recap- the reason for the update

The CJEU recently agreed with Max Schrems’ argument that the principles of the US Privacy Shield which intended to uphold General Data Protection Regulation (GDPR) rules could not be followed since, no matter how compliant US businesses were, the US governments wide ranging surveillance laws could not be avoided and ultimately were incompatible with the GDPR. 

 Since the judgement, there has been concern that the SCCs as currently drafted are also not going far enough, since businesses can effectively use them to facilitate transfers without truly examining whether GDPR rules will be followed in practice in accordance with national rules that cannot be avoided. 

This has pushed the European Commission to update the SCCs- which until now, were not even based on the GDPR, but a previous data protection Directive!

What has changed?

As originally drafted, there were two versions of SCCs to be used between EU controllers and third country controllers, and one option for EU controller to third country processor contracts.  

The European Commission has now drafted one new version of SCCs to use for cross-border transfers of personal data to replace the previous versions and, finally, a brand-new set of SCCs to be used when controllers engage processors to be used as part of a DPA!

The draft cross-border SCCs are the first that have been issued under the GDPR and therefore, reflect the GDPR principles.

Their coverage is wider than that of the old SCCs, and the new clauses cover a wider range of data transfer situations and allow for more modern forms of data sharing- for example, there is an option to amend the number of parties to the contract.

Additionally, likely due to the influence of Schrems II, the draft cross-border SCCs include specific extra obligations on the party based in the third country regarding governmental access and surveillance, for example, reviewing the legality of any requests that are made and using all means necessary and available to challenge the request. There is also an obligation on parties based in the EEA to assess and address the likely consequences of the third country laws. 

The new obligations in cross-border SCCs

In summary, the new obligations are: 

  • Data subjects must be provided with a copy of the SCCs in place on request, and must be informed if there are any changes to the purpose of the processing engaged in, or any parties to whom personal data may be disclosed. 

  • Exporters and importers must ensure that in the event of any onward transfers to another third country, the secondary importers either enter into the same set of SCCs, or data subjects give their explicit, informed consent for such onward transfers.

  • Exporters and importers are required to describe in detail the level of liability accepted between the parties and towards data subjects concerned, and the level of indemnification each party will give.

  • Any processers and sub-processors engaged must have the same obligations as data importers, requiring them to have appropriate technical and organisational measures in place. 

  • Sub-processors must ensure compliance with the instructions of both the processors and the controllers. 

Check out the new draft cross-border SCCs here!

New SCCs for controllers and processors 

The European Commission has also proposed a set of SCCs to be used between controllers and processors, as part of a data processing agreement. 

The Commission has suggested these SCCs will standardise data protection rights and obligations between controllers and processors. The drafts contain annexes with templates for records of processing and storage of data descriptions. They set out the required technical and organisational safeguards and suggest appropriate data controller instructions.

Check them out here.

 What next?

Both sets of draft SCCs will be open for feedback until 10 December 2020. 

Parties with SCCs in place at the moment should keep a close eye for any updates- however, the draft SCCs state that from the date they come into force, companies will have a 1 year grace period to update the contracts they have in place. However, this 1 year grace period is not definite- if, for example, the contract is changed within this 1 year period, the data exporter must ensure to update the SCCs.

Until the SCCs are accepted, controllers and processors can continue to rely on the old SCCs as the safeguard for international data transfers. So, all parties engaging in international data transfers are encouraged to monitor the situation closely to ensure they can update their practices as quickly as possible.

If you have any questions about international transfers, or would like any advice on implementing SCCs, please don’t hesitate to get in touch!

Article by Lily Morrison @ Gerrish Legal, November 2020

Previous

Appointing an EU Representative: Guidance for UK Businesses after Brexit
Next

Brexit and data transfers: Is your business ready?