EU Commission releases a draft set of new SCCs
Following the European Court of Justice’s Schrems II decision, the European Commission released a draft set of SCCs and a draft implementation decision.
On November 12, 2020, the European Commission published a draft implementing new Standard Contractual Clauses (SCCs) for the transfer of personal data to countries outside of the European Economic Area. These SCCs reflect changes required under the Schrems II decision (read our full breakdown of the ECJs ruling on the “EU-US Privacy Shield” here) and are expected to fully replace the current SCCs in the beginning of 2021. Organizations that make international transfers of personal data to third countries must take a close look at the obligations imposed by the new SCCs in order to remain compliant.
The new SCCs pertain to transfers of personal data from the EU to third countries and retain some of the principles in the current SCCs that were approved by the Court of Justice in Schrems II. The maintained principles include:
The obligation of the data exporter to consider the level of protection of personal data in the third county
The obligation of the data importer to notify the data exporter of any inability on the part of the importer to comply with SCCs
The obligation of the data exporter to suspend data transfers and terminate the agreement or notify the supervisory uathority if it continues to transfer personal data after having received notice that the data importer cannot comply with SCCs
The new SCCs build upon these principles and implement further safeguards for data transfers. Under the new SCCs, the data exporter is required to document a case-by-case transfer impact assessment and must make it available to the competent supervisory authority upon request. There are particular factors that the data exporter must consider in a transfer impact assessment. Amongst these factors are the law in the third country, the duration of the contract, the scale and regularity of transfers, the length of the processing chain, the type of recipient, the purpose of the transfer and the nature of the data transferred.
Another obligation provided by the updated SCCs relates to public authorities in a third country requesting access to personal data from the EU. In such instances, the data importer must notify the data exporter and data subject that a public authority has requested access to the data and assess the legality of the request based upon the law of the third country. If the data importer finds that there are no grounds under jurisdictional law to fulfill the access request, then the data importer must exhaust all available remedies to challenge the request.
As of now, existing transfers can continue to be made on the basis of the current SCCs and benefit from a one-year sunset provision. However, contracts that are changed and new contrasts must adhere to the new SCCs. The caveat to this is that if a contract has been changed solely to provide additional safeguards under Schrems II, then it will still benefit from the one-year sunset provision.
In addition to the updated SCCs, the European Commission also published drafted standard contractual clauses between controllers and processors located in the European Union. These clauses provide clauses that a controller can impose on the processor in order to satisfy the contractual obligations provided by Article 28 of the GDPR.
The updated SCCs and Article 28 Clauses are open for public feedback until December 10, 2020. Feedback may be submitted here.
Datawallet is the world’s leading blockchain based data privacy compliance platform. Being the first company to champion the concept of Consumer First Compliance, we not only enable enterprises to comply with complex international data privacy regulations such as CCPA and SB-220 in the United States, GDPR in Europe, and POPIA in South Africa.
Need something for your organization? Contact us at firstname.lastname@example.org.DatawalletGDPRConsumer Privacy