New Standard Contractual Clauses for Transfer of Personal Data outside the EEA – Getting Warmer by the Day
We are one (penultimate) step closer to the final adoption of new Standard Contractual Clauses (“SCCs”) by the European Commission.
The final version of a long overdue update to the 2004 (in case of controller-to-controller)/2010 (in case of controller-to-processor) model clauses which companies use to safeguard personal data transfers to controllers/processors outside the EEA under Article 46.2(c) of the GDPR, has cleared one of its final hurdles.
Today, the Article 93 Committee, consisting of the representatives of EU governments, unanimously approved new draft SCCs proposed by the Commission. The Committee is named after Article 93 of the GDPR, referencing the examination procedure, which the draft SCCs of the European Commission (including the one on the new SCCs) had to go through on its way to final adoption.
The last step in this process is the adoption and publication of the definitive final version of new SCCs, which is expected in the upcoming days. The latest public draft of the SCCs contains a sunset clause, which requires companies to replace their existing SCCs with the new format within one year from the day of commencement of the new decision on the SCCs (repealing the current SCCs after the period lapses). Companies should look out for this provision in the final version, as it will be crucial for determining the timelines to put the new SCCs in place internally, as well as externally with companies’ vendors, etc.
The final version promises to bring a more modern and diverse (in terms of the roles of the parties) modular approach to what is arguably the most popular personal data transfer safeguard under Article 46 of the GDPR, used by companies. One of the main reasons why the new SCCs are so highly anticipated is because of the potential extent of protections it will offer to companies transferring personal data outside the EEA in the aftermath of the Schrems II Judgement (CJEU Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, dated July 16, 2020).
Questions remain on how much the final text will reflect the concerns raised by the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor in their “Joint Opinion 2/2021 on SCCs for the transfer of personal data to third countries from January 14, 2021.” It is also unclear how the new SCCs will interplay with EDPB’s yet to be finalized, “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data from November 10, 2020” and whether EU supervisory authorities will clarify their position on the need to further supplement the new SCCs.
It is safe to say that companies will face another eventful year in data protection compliance. Along with the new SCCs for international data transfers, the European Commission is also expected to adopt SCCs for transfers between controllers and processors, which will provide a template for what we have come to know as the Article 28 Data Processing Agreements.
Albeit no longer part of the EU, the UK’s supervisory authority, the Information Commissioners Office (ICO) has also been busy. The ICO published its intention to launch consultation on a new set of SCCs for the UK, as well as publish the new set in the course of 2021. The ICO has also announced that its new Data Sharing Code of Practice has been laid before the UK Parliament on May 18, 2021 and will come into force after 40 sitting days (provided no objections are raised).