Drafts of the long awaited new standard contractual clauses for the transfer of personal data to third countries (SCC) were published by the European Commission (EC) earlier this week, as well as new draft standard contractual clauses between controllers and processors under Article 28 of the General Data Protection Regulation (GDPR).
Released on 12 November for public consultation, the EC is allowing until midnight (Brussels time) on 10 December for feedback to be submitted on these new drafts.
The new SCC are intended to replace existing versions which were drafted under previous data privacy law. Once approved, they will allow businesses to lawfully transfer the personal data of European citizens to those countries for which no decision of adequacy has been reached by the EC and where no other appropriate safeguards for such transfers exist, as required by the General Data Protection Regulation (GDPR).
There are some notable changes to the newly drafted SCC:
- Unlike the existing clauses where separate documents were required to be completed for data transfers between controllers and for data transfers between controllers and processors, these new clauses are presented in a single 28 page document. Integrated within this one set of clauses are the various transfer options available to controllers and processors. Modules are specifically marked to allow practitioners to select the relevant clauses applicable to each transfer scenario, whether that be, for example, a controller to controller transfer or a controller to processor transfer.
- Interestingly, the EC has also acknowledged the historic lack of provision for processor transfers with the incorporation of additional transfer options where a processor is exporting personal data. The clauses now allow for transfers of data from processors to controllers as well as for transfers between processors, which will enable processors to transfer data to their sub-processors. Specific provisions are included within Section II of the SCC to account for the use of sub-processors.
- There is a new optional clause, the Docking Clause, which allows third parties to become parties to the SCC by completing the required annex. This is available to both exporters and importers, allowing them to become parties to the SCC at any time, subject only to the agreement of the existing parties.
- The recent ‘Shrems II’ decision that invalidated the use of Privacy Shield as a lawful safeguard under which personal data could be transferred from Europe to the US is reflected in the SCC. New terms impose obligations on both parties to fully consider the extent of protection provided to personal data by the receiving country, as to whether the personal data would be adequately protected and whether effective rights are afforded to the individuals concerned. The SCC set out precise elements to be considered by the parties when undertaking such an assessment, those being:
- The specific circumstances of the transfer such as the nature of the data and data subjects concerned, the scale and frequency of transfers and the number in the processing chain, as well as each party’s own practical experience of such transfers including the absence of requests for disclosure by public authorities from the data importer;
- local laws, particularly the requirement to disclose, or the obligation to allow access to, the personal data by public authorities; and
- any additional safeguards other than those provided under the SCC, such as technical and organisational measures applied during transmission and whilst processing within the receiving country.
The Commission Implementing Decision allows one year from the date of enforcement of the new SCC to allow businesses to implement these in replacement of their existing contracts for transfers of data to third countries. As well as public consultation, consultation is required with member states and the draft clauses require review by the European Data Protection Board and the European Data Protection Supervisor before being formally adopted.
Whether or not these will form part of EU retained law within the UK will depend on whether they are operative before 31 December 2020. However, there is of course the option for the Information Commissioner to adopt these under Article 28 of the UK GDPR. As such, businesses are advised to commence an assessment of their current data transfer arrangements in order that they can identify and replace those existing SCC with the newly drafted SCC, to enable their continued lawful transfer of data internationally.