New standard clauses for international data transfers are coming
The Commission has published a draft for new standard clauses to ensure compliance with the GDPR in the light of the latest case-law of the European Court of Justice. So far, the new standard clauses are only a draft, but they provide an important insight into the future level of protection in the area of data transfers to countries outside the EU/EEA.
On 12 November 2020, the Commission published a draft for new standard contractual clauses (SCC) for transfers of personal data to third countries (non-EU/EEA countries). The SCCs must be seen in the light of the ECJ's decision in Schrems-II of 16 July 2020, where the European Court of Justice ruled that transfers of personal data to third countries must ensure a level of protection that is "essentially equivalent" to the level of protection under the General Data Protection Regulation (GDPR).
According to Art. 46(2)(c) of the GDPR the Commission may adopt SCCs. The Commission has utilised this opportunity in relation to the current SCCs which are set out in Decision 2001/497/EC5 and Decision 2010/87/EU6, based on the old Data Protection Directive 95/46/EC. These can no longer provide adequate protection, and the increased digitisation has created complex processing chains that have necessitated new and more comprehensive SCCs.
The new SCCs are so far only a draft with the Commission's initial position and will not be finally adopted until after 10 December 2020, when the public consultation period expired. Although they are not definitive, they provide an important insight into what future SCCs will look like. When the final SCCs are adopted, they will repeal the two previous SCCs (2001/497/EC5 and 2010/87/EU6) but can still be used for up to one year after the entry into force of the new SCCs.
The content of the new standard clauses
The Commission's new SCC bears a great deal of textual similarity to the GDPR.
They are structured in three different sections, the first containing general clauses, the second containing the parties' real obligations in the case of transfers, and the third providing clauses about the choice of law and termination of the contract.
The first section states, among other things, that the SCC takes precedence over other agreements between the parties if there is a discrepancy between the SCC and the other agreement (clause 4).
The second section is built around the four different transfer relationships: (1) from data controller to data controller, (2) from data processor to data processor, (3) from data controller to data processor, or (4) from data processor to data controller. It will always be a transfer from a data exporter located in the EU/EEA to a data importer located in a third country.
The new SCCs include, among other things, provisions to ensure transparency for data subjects (including in relation to what exactly is being transferred to a third country), provisions on health security (Art. 32 of the GDPR), provisions on documentation, and liability provisions.
The SCCs have three Annexes in which the data exporter and the data importer can, among other things, fill in the identification and contact details (Annex 1), a detailed description of the data being transferred (Annex 2), and a description of the technical and organisational measures implemented by the data importer (Annex 3).
In a contract between a data exporter and a data importer, additional clauses may be inserted into the agreement at any time to ensure a higher level of protection for data subjects than is stated in the SCCs. However, one should be aware that the clauses inserted do not conflict with the SCC's or are detrimental to the rights of data subjects under the GDPR.
NJORD Law Firm's comments
The new SCCs are particularly relevant for data processors and data controllers who already transfer information to third countries. Bear in mind that the existing SCCs will soon be replaced and that the new standard clauses provide for a higher level of protection for the data subject. Therefore, you can usefully update the contract with your data importer to meet the new requirements. Also, it is important to remember to comply with the obligation to provide information in Art. 13(1)(f) and Art. 14(1)(f) of the GDPR to inform the data subject of a possible transfer of data to third countries.
NJORD has extensive experience with data transfers to third countries and, as always, we can prepare your new contracts, review and assess your current contracts, or other similar services.