After first drafts had been published in November 2020 (here and here), the European Commission has finally adopted new Standard Contractual Clauses (SCCs), which were published today (one for the transfer of personal data to third countries and one for the use between controllers and processors based in the EU). SCCs are, in practice, probably the most relevant transfer mechanism, e.g. in the context of using cloud service providers processing personal data outside of the European Union. Since the “Schrems II” ruling of the Court of Justice of the European Union (CJEU) last summer, controllers and processors using SCCs were under great pressure to review their transfers based on SCCs as the CJEU required them to assess implementing additional technical and organizational as well as contractual measures, depending on the level of security for the data in the country of the data importer.
The European Commission had to consider the extensive feedback from various stakeholders on the draft SCCs, which delayed the final adoption. The new SCCs replace the old sets of SCCs (which were adopted in the pre-GDPR era), and the data export clauses have a few new or updated aspects, including:
- Modular approach: The SCCs cover a wider range of processing scenarios, with a modular approach combining separate rules for all potential transfer scenarios in one overall agreement. New sets for transfers between two processors and even from a processor in the EEA to a third-country controller are included;
- Docking clause: For reflecting complex processing chains, the new SCCs include a so-called “docking clause”, facilitating the formation of multilateral contractual relationships by allowing new parties (including sub-processors) to accede to an already existing agreement;
- “Schrems II” provision including a “practical toolbox” to comply with the “Schrems II” ruling: Echoing the requirements of the “Schrems II” ruling, the new SCCs contain a provision dealing with the effects of local laws on the compliance of data transfers based on the SCCs, including a footnote summarizing the different steps companies have to take for compliance with the “Schrems II” ruling;
- Obligations of the data importer in case of access by public authorities: The new SCCs require the data importer to notify the data exporter promptly in case of legally binding requests from public authorities or any direct access by public authorities to data transferred under the SCCs. Data importers will be also required to use “best efforts” to obtain a waiver of a prohibition to inform the data exporter about such cases.
- Extended rights of data subjects: Under the new SCCs, the rights of the data subjects have been strengthened. In contrast to the current regime, where data subjects have no direct data subject rights as granted in the GDPR vis-à-vis the data importer, data subjects will be granted direct rights against data importers, with the exact extent of these rights depending on the concrete transfer scenario. This comes along with an extension of the rights of data subjects as third-party beneficiaries who may invoke and enforce the SCCs against the data exporter as well as the data importers; and
- Liability rules: Under the new SCCs, the data importer and data exporter are, in accordance with the liability rules of the GDPR, liable for any damages vis-à-vis data subjects caused by a breach of the SCCs. Such damages can be material as well as non-material damages. In contrast to the GDPR, which requires a breach of both parties in case of a joint liability, in controller-to-processor and processor-to-processor scenarios, the data exporter in Europe is liable for violations by its processor (and even sub-processors).
Most interestingly for users of the SCCs, the European Commission provides a transition period of 18 months - longer than the 12 months initially suggested in the draft SCCs.
We will follow up with a more detailed analysis soon. In the meantime you may be interested in our analysis of the draft SCCs for the transfer of personal data to third countries.
As a follow-up to the “Schrems II” ruling, we are also still waiting on the final Recommendations for Supplementary Measures from the EDPB, which were also open for stakeholder feedback after being published in draft form in November. We do not have any clear indication of timing but, in their Annual Report 2020 published on 2 June, the EDPB said, “The Recommendations […] were subject to a public consultation. The EDPB received over 200 contributions from various stakeholders, which it is currently analysing”. Prior to the summer break, plenary sessions are planned on 18 June and 7 July, during which the final Recommendations could theoretically be adopted, although we have not yet seen the agendas for these meetings.
In addition, the European Commission and the U.S. Department of Commerce committed to “intensifying” negotiations on the successor to the EU-U.S. Privacy Shield (which was invalidated in the “Schrems II” ruling) in March, there has been no sign of white smoke. During recent interventions, EU Justice Commissioner Didier Reynders emphasised that “there are no shortcuts and there will be no quick fix. We will only accept a solution that is fully in line with the requirements of Union law, as interpreted by the Court of Justice […] It is also in the mutual interest of the EU and the U.S. that we put in place a solid, sustainable and legally certain transatlantic transfer mechanism” and, EU Commission Vice-President Věra Jourová suggested that it would be “very useful, I would even say necessary” to have “legally binding rules, or rule, on the U.S. side”. In response, it was reported that, during the EU-U.S. summit on 15 June, U.S. President Biden will push Commission President von der Leyen to back a ‘political agreement’ around a successor to the EU-U.S. Privacy Shield, committing to fast-track negotiations, and leave the technical details to both sides’ negotiating teams.
The Commission is also deciding whether to continue to allow data exports from the EEA to the UK. The Commission has published a draft ‘adequacy’ decision for the UK and, in a speech on 20 May 2021, the Justice Commissioner said that the Commission takes the view that the adequacy decision should be issued. If there is no adequacy decision or other arrangement by 30 June 2021, businesses will need to use one of the other GDPR carve-outs, like the SCCs. Meanwhile, the UK Information Commissioner is working on its own model contract clauses for data exports out of the UK; it expects to consult on those clauses in the summer.