EU Commission proposal on new standard data protection clauses - Post Schrems II

On 12 November 2020, the European Commission published a proposal for new standard data protection clauses (also referred to as standard contractual clauses; hereinafter referred to as “draft SCC”). The European Commission published those draft SCC just shortly after the publication of the recommendations of the European Data Protection Board (“EDPB”) for third country data transfers (you can find our initial assessment here) as well as the EDPB publication “European Essential Guarantees”.

The aim of the publication is to conduct a short consultation. At the end, the European Commission could publish new SCC. These proposed draft SCC, combined with recommendations for third country data transfers, also taking into account the Schrems II decision, could provide more legal certainty for users (you can find our contribution to the Schrems II decision here).

Structure of the draft SCC

The draft SCC are using a modular approach. This means that there should be one SCC version covering the following four scenarios via text modules:

1. Module 1: Transmission between two (or more) controllers (“controller-controller”).

2. Module 2: Transmission from one controller to one (or more) processors (“controller-processor”).

3. Module 3: Transmission from a processor to one (or more) processors (“processor-processor”).

4. Module 4: Transmission from a processor to one (or more) controllers (“processor-controller”).

Selected content of the draft SCC in light of the Schrems II decision

Some of the requirements that have become the focus of discussion, particularly due to the Schrems II decision, are already reflected in these draft SCC. These include an increased focus on transparency requirements. Furthermore, they include a more differentiated handling of various legal requirements due to national laws applicable in a country outside of the European Union/European Economic Area (= a third country).

For example, in a controller-controller situation, the data importer is obliged to provide certain information to the respective data subjects, either directly or indirectly via the data exporter. This includes in particular information on the identity of the data importer and on all relevant data processes. A data importer must therefore provide information on its own relevant data processes as a controller, too.

In principle, the draft SCC contain clauses benefitting third parties. This means that data subjects, as a third party to such a SCC contract, can rely directly on these clauses to assert claims against the data exporter and/or the data importer (see Section I, Clause 2; Third party beneficiaries).

The draft SCC contain the clear obligation that in the event of a further data transfer by the data importer to a third party (so-called “onward transfer”), either this third party must also assume the corresponding SCC obligations or another justification must be applicable under the GDPR for such an onward transfer (see Section II, Module 1 Clause 1.7, Module 2 Clause 1.8 and Module 3 Clause 1.8).

A clause applicable to all the standard scenarios above deals with the national law of the data importer. The parties, i.e. the data exporter and the data importer, assume that no local law prevents the data importer from performing its respective duties in line with SCC obligations (Section II, Clause 2; Local laws affecting compliance with the Clauses). In addition, they shall prepare a data transfer impact assessment and make it available to the competent data protection supervisory authority upon request (Section II, Clause 2 lit. d)).

The data importer is furthermore obliged to inform at least the data exporter - and if possible the respective data subjects - immediately if a sovereign authority requests access to personal data covered by an SCC obligation. The data importer should also be obliged to take action against such an order if there are indications that such an order is unlawful (Section II, Clause 3; Obligations of the data importer in case of government access requests).

In addition, the data exporter is granted an extraordinary right of termination if the data importer does not comply with an SCC obligation (Section III, Clause 1; Non-compliance with the Clauses and termination).

The appendix for the technical and/or organizational protective measures contains placeholders with suggestions as to which types of exemplary measures could be regulated.

Outlook

One point of criticism that has already arisen during the consultation process is that these draft SCC cannot ultimately prevent secret data access by government agencies. A central problem of the Schrems II decision is therefore not solved by these draft SCC.

However, these draft SCC are a good approach to provide users with an update for a very important tool for international data transfers. Since the draft SCC itself do not contain any technical and/or organizational protective measures, the EDSA's recommendations for third country transfers should be read in parallel. In addition, requirements similar to the GDPR are clearly extended to the data importer.

If these draft SCC are adopted, existing (old) SCC must be revised and brought up to date within one year (see Article 6 (3) of the draft implementation decision).

However, it is unclear whether these draft SCC will ultimately be adopted. The European data protection authorities have already expressed dissenting opinions.