Three years after the GDPR came into effect, the European Commission has issued the much-awaited final version of two new sets of Standard Contractual Clauses that are expected to enable data controllers and processors to address some of the thorny issues in the transfer of personal data of EU/EEA citizens. The Press Release of the EU Commission, dated June 4, 2021, is available here.
Five New Templates
As anticipated from prior drafts, the new Standard Contractual Clauses framework is comprised of two sets of documents that address two distinct settings. A total of five documents can be used depending on the circumstances:
One category provides one document, intended to address transfers between controllers and processors when both parties are in the EU/EEA (or otherwise subject to the GDPR) and must meet the GDPR Art. 28.
The other group addresses, in addition, the issues arising from crossborder data transfers where one of the entities is established outside the EU/EEA (and not subject to the GDPR). Four scenarios are addressed: Controller-to-controller transfers; Controller-to-processor transfers; Processor-to-processor transfers; and Processor-to-controller transfers.
The texts provided in the links above are the final working documents. Before they can take effect, they must first be published in the Official Journal of the European Commission. After that, there is series of steps for their entry into force, repeal of the existing Standard Contractual Clauses, and a transition period, so that the compliance date is expected to be December 27, 2022.
The modernized SCCs address many of the new issues that were raised in the General Data Protection Regulation (GDPR). For example there are enhanced requirements for transparency (Clause 8.2), accuracy and data minimization (Clause 8.3), right of erasure (Clause 8.5) and accountability (Clause 8.9). There are also lengthy provisions concerning security, enhanced security measures, notification of the data controller in case of a breach of security (clause 8.6). Data subject rights and redress provisions in Clauses 10 and 11 are extensively covered, taking over two pages.
Access by Public Authorities
The modernized SSC address, but only in part, the recent decision of the European Court of Justice in the Schrems II case. For example, the new SCCs set forth detailed obligations related to the performance of due diligence for assessing the potential impact of local laws on the data. Clause 14 contains obligations to assess the local laws in the recipient country to determine their effect on compliance with the Clauses. Further, Clause 15 addresses the obligations of the data importer in case of access request by authorities in the recipient country.
Due Diligence and Supplementary Measures Still Needed
The new SCC are not intended to provide a one size fits-all cure that fully addresses the deeper issues and the much more complex effect of national security laws raised by the CJEU decision of July 2020 in Schrems II. These issues vary depending on the country, the type of personal data at stake, and other factors. Due diligence, evaluation, and gap analysis in a form similar to that which is described in draft Recommendations 01/2020 of the EDPB remains necessary. And these activities must be documented.
Recitals 18 to 22 of the SCC Implementing decision stress the need to address the mandates of the CJEU decision of July 2020 in Schrems II in advance of signing any document that incorporates the new SCCs for crossborder transfers.
Recital 19 of the Implementing Decision warns that the transfer and processing of personal data under the SCC should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. It also stresses that the parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.
Recital 20 provides further guidance, and clarifies that when evaluating the impact of local laws on compliance with the SCCs, different elements may be considered, including reliable information on the application of the law in practice, such as case law and reports by independent oversight bodies; the existence or absence of requests in the same sector; and the documented practical experience of the data exporter and/or data importer.
While the publication of the final draft of the SCCs has provided certainty as to the detail of the SCCs, it has also made more urgent the need for businesses to pay attention to their use or processing of personal data originating from the EU/EEA and revamp their data processing practices and policies and their data transfer agreements. Before trading the old for the new, it is becoming critical that they complete the due diligence and activities suggested in EDPS Recommendations 01/2020 in conjunction with the using the additional guidance provided in the Implementing Decision as necessary to ensure that a specific data transfer or specific data to a specific country is feasible.