European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Finally, the structure of the draft SCCs allows for modular contract clauses. The updated clauses also allow additional parties to accede to the clauses, either as data exporter or data importer, by way of executing a specific annex. Previously, new parties were forced to use a wraparound framework of data transfer agreements which incorporated the SCCs in order to implement them as an appropriate safeguard for international transfers. All of these changes bring welcomed flexibility to these contracts.

What else is new?

The new draft SCCs are the first of their kind issued under the GDPR and, as such, reflect the GDPR’s requirements, whereas the old SCCs were drafted under the GDPR’s predecessor.

Accordingly, the new SCCs impose more comprehensive transparency and notification obligations on the parties. In particular, a data importer will be required to notify the data exporter and, where possible, the affected data subjects if:

  • The data importer receives a legally binding request by a public authority, or,
  • The data importer becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs.

Furthermore, the data importer will be obliged to exhaust all available remedies to challenge the access request if, after careful assessment, it concludes that there are grounds under the local laws to do so.

In line with this new requirement of an assessment of the local laws following an access request, the new SCCs reiterate the need for a comprehensive assessment to determine whether the data transfer to a third country can reach an adequate level of data protection as required under the GDPR. According to the new clauses, the parties must take into account the specific circumstances of the transfer, any relevant prior instances of requests for disclosure by public authorities received by the data importer, as well as the laws of the third country of destination, particularly laws that require disclosure of data to public authorities or allow access by such authorities.

What does this mean?

While the new draft SCCs provide for specific safeguards in light of Schrems II, the new clauses do not relieve the parties from their obligation to assess and address the likely consequences of the third country’s laws. In effect, the draft SCCs thereby require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice. This approach has already been criticized by stakeholders and practitioners alike as unwieldy, effectively placing the burden of adequacy decisions on private parties rather than government bodies.

As only few legal possibilities remain for companies to secure their cross-border data transfers following Schrems II, the draft SCCs have been eagerly awaited. The EU Commission has provided this modernization of the old model clauses in order to better reflect recent developments in the digital economy as well as the widespread use of new and more complex processing chains.

Whether the new draft SCCs can provide an adequate, as well as practical solution for businesses around the globe remains to be seen.

What are the next steps?

The draft clauses are subject to consultation with the European Data Protection Board (“EDPB”),  and are currently open for public consultation until December 10, 2020. Once formally adopted, the new SCCs will replace the previous clauses used by organizations for international transfers under the GDPR. Businesses will have twelve months from the date the new SCCs enter into force to replace any existing SCCs currently relied upon.

As a result, businesses will need to assess their data transfer arrangements in the next year and replace their existing framework of standard contractual clauses with the new SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the EEA.

A Footnote on Article 28 Clauses

Along with the new draft SCCs, the European Commission has also published draft standard contractual clauses between controllers and processors located in the EU. This draft contains clauses that a controller can impose on the processor in order to satisfy the contractual requirements that the controller is obliged to impose under Article 28 GDPR.

The use of the European Commission approved Article 28 Clauses will not be compulsory and businesses may continue to use their data processing agreements between controllers and processors to satisfy the requirements of Article 28 GDPR.