Unlike their predecessors, the draft new SCCs take into account the CJEU's Schrems II decision by including specific provisions dealing government access requests. The documentation issued by the European Commission, which is open for public consultation until December 10, 2020, includes the draft Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, and the draft Annex to the Commission Implementing Decision with the proposed new SCCs.
A modular approach
Unlike the existing sets of SCCs, which included two different versions (controller-to-controller and controller-to-processor), the new SCCs adopt a modular concept that cater to various transfer scenarios:
- Controller to controller transfers;
- Controller to processor transfers;
- Processor to processor transfers; and
- Processor to controller transfers.
The European Commission notes in its draft Implementing Decision that developments in the digital economy since the adoption of the current SCCs call for a modernization of the existing versions to better reflect the realities of modern data processing operations.
Each clause within the new SCCs contains different modules which are applicable depending on the type of transfer of personal data covered by the contract. Controllers and processors are able to select the modules applicable to their situation making it possible to tailor the obligations to the roles and responsibilities of the contracting parties. In order to provide greater flexibility, the new SCCs also make it possible for more than two parties to adhere to the contract and additional parties are also able to accede to it as data exporters or data importers with the agreement of the other contracting parties.
Schrems II provisions
The European Commission also reaffirms the CJEU's Schrems II decision by stressing that the transfer of personal data under the SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with the contractual provisions. The SCCs include a mutual warranty stating that the contracting parties have no reason to believe that the laws applicable to the data importer prevent that data importer from fulfilling its obligations under the SCCs.
In providing this warranty, the contracting parties are required to confirm that they have taken due account of particular elements including: the specific circumstances of the transfer, the laws of the relevant third country of destination in light of the circumstances of the transfer, and any supplemental safeguards to those under the SCCs (including technical and organizational measures). In addition, the SCCs include detailed obligations applicable to the data importer which set out the specific measures to follow with respect to requests for government access to data transferred under the SCCs.
Once the European Commission adopts the final version of the new SCCs, there will be a transitional period of one year from the date of entry into force of the Implementing Decision. During this transitional period, data exporters and data importers may continue to rely on existing SCCs for the performance of contracts concluded before that date, provided that: (i) the contract remains unchanged, and (ii) any necessary supplementary measures are implemented in order to ensure that the transfer of personal data is subject to appropriate safeguards.
Authored by Eduardo Ustaran, Laur Badin, and Emma Hughes.