The European Commission recently issued its much-anticipated draft revised Standard/Model Contract Clauses, which are subject to a short public consultation. This article looks at this new development in brief.
What’s this all about?
Under the previous EU data protection regime and the General Data Protection Regulation (GDPR) international data transfers can only be made in certain ways and subject to various conditions. These include country Adequacy Decisions, Binding Corporate Rules, and, probably the most relied on mechanism, Standard/Model Contract Clauses (SCCs). SCCs consist of a contract entered into between a data exporter and a data importer that impose certain data protection obligations on both parties. SCCs have long been overdue an upgrade which was given even more of an impetus following the European Court’s summer 2020 Schrems ruling that invalidated the EU-US Privacy Shield, which we’ve written about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/. Some GDPR special terms are used in this note which are defined in our glossary at www.bit.ly/gdprwords.
What are the highlights?
Some of the key points (of what is a detailed and complex area) are as follows:
- The format consists of a main text along with the actual EU decision and recitals, and the actual clauses in a separate annex. The annex adopts a modular approach to address various transfer scenarios;
- The revised new clauses can be used for data transfers in the following situations: (a) from controllers in the EU to controllers in a third country; (b) from controllers in the EU to processors in a third country; (c) from processors in the EU to a sub-processor in a third country; (d) from controllers in a third country subject to GDPR to processors outside the territorial scope of application of GDPR; and, (e) from processors in a third country subject to GDPR to sub-processors outside the territorial scope GDPR;
- Obligations include the following: (a) data subjects must be provided with a copy of the revised new clauses upon request and must be informed (amongst other things) of any change of purpose and the identity of any third party to whom data will be disclosed; (b) for any onward data transfers by a data importer to a recipient in a third country, either the recipient signs up to the new clauses or a data subject has to provide explicit and informed consent; (c) liability between the parties and towards data subjects and indemnifications between the parties will need to be described in greater detail; (d) obligations similar to GDPR Article 28 technical and organizational measures are imposed on processors and sub-processors; and, (e) sub-processors must ensure compliance with instructions from both a processor and a controller;
- Non-EEA data importers who are controllers will have to notify both the data exporter and an EU data protection regulator of a personal data breach likely to result in “significant adverse effects”;
- Supplementary measures provisions that relate to the Schrems case include: (a) a warranty declaring that there is no reason to believe that the laws in the importer country prevent the importer from fulfilling its obligations under the new revised new clauses; (ii) an obligation to assess the relevant legislation of the importer’s country and a requirement to document the assessment made, which must be made available to a data protection regulator on request; and, (iv) obligations on a data importer to challenge requests for data access made by an authority and to provide only the minimum amount of personal data once any such challenges have been exhausted; and,
- There will be a one-year grace period from the date of entry into force of the new revised rules. Data exporters and data importers will be able to continue to rely on the existing SCCs for the performance of a contract concluded between them before that date as long as the contract remains unchanged except for necessary supplementary measures in order to ensure that the transfer of personal data is subject to appropriate safeguards as required under GDPR.
What are the next steps?
The consultation is open until 10 December 2020 (midnight Brussels time). The European Commission says that “feedback will be taken into account for finalising this initiative” which will then be published. The finalised version of the new SCCs is expected in early 2021.
What are the takeaways?
First, do have your say and respond to the consultation if you have concerns about the revised new rules.
Second, plenty of work will need to be done to ensure compliance. Assuming that the current version of the draft revised SCCs stay basically the same and are adopted, the following will need to be considered:
- Consider doing an audit of all of your existing SCCs to be able to replace them and prepare a methodology to do this –the new modular approach will require time and resources to adapt to;
- Whilst the one-year transition period might seem a long time many organisations will either have many existing SCCs to eventually replace or plenty of new ones to introduce so make time to make the change and prioritise the order of the ones to change. Bear in mind also that if an underlying agreement between parties is renegotiated or otherwise changed during that transition period the new revised SCCs are the ones that will have to be (immediately) applied, i.e. not the existing SCCs and the work required to then change to the new revised SCCs may have to be turned around quickly; and,
- Consider developing or revising procedures to handle personal data requests made by public authorities.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A monthly call on key developments.
For information about our GDPR Navigator please see here: www.bit.ly/gdprnav
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The draft revised EU standard/model clauses (and place to provide feedback) can be found here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|
Image courtesy of H&M