On November 12, 2020, the European Commission (“EC”) published the draft implementing Decision on Standard Contractual Clauses for the transfer of personal data to third countries (“New SCC” or “Decision”), which were available for public consultation through December 10, 2020.
Absent an adequacy decision from the EC under Article 45 of the Regulation (EU) 2016/679 (“GDPR”), data transfer to a third country, or an international organization, may be based, inter alia, on standard data protection clauses adopted by the EC (Article 46.2.c of the GDPR). In this regard, the EC set out the relevant standard contractual clauses in Decision 2001/497/EC (as amended by the Decision 2004/915/EC) and Decision 2010/87/EU (“Former SCC”); those are intended to be superseded by the new SCC, mentioned above, once the public consultation period has ended and the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have issued their opinions.
In particular, as regards the implementation of the New SCC, the draft Decision provides a one-year grace period. During that time, Exporters and Importers (as defined below) that entered into an agreement before the date of entry into force of the Decision may continue to rely on the Former SCC, provided that they implement the necessary supplementary measures to ensure appropriate safeguards. Consequently, the EC requires the adequacy of the Former SCC in relation to the specific data transfer carried out by the Importer and the Exporter to be assessed immediately and any further measures required as a result of the assessment to be implemented.
The New SCC follow the well-known decision of the Court of Justice of the European Union (“CJEU”) of June 16, 2020, on the case Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (Case C-311/18, “Schrems II judgment”), which invalidated the Privacy Shield; as well as the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (open for public consultation until December 21, 2020, “Recommendations”).
Indeed, the SCC extensively cite both the Schrems II judgment and the Recommendations, mentioning the necessity to ensure, by means of such clauses, a level of protection for personal data that is at least equal to that guaranteed under the GDPR. By way of example, the New SCC note that the recipient of the personal data established in the third country (“Importer”) shall inform the party that transferred the personal data to the third country (“Exporter”) of any inability to comply with its obligations under the New SCC. Additionally, the Exporter shall suspend the data transfer and/or terminate the underlying agreement it entered into with the Importer if the latter is not able to comply with the New SCC.
Furthermore, as detailed below, the New SCC in any case instruct the parties to assess the actual level of the safeguards ensured by the SCC in light of the law of the destination country and, if necessary, to implement further measures to guarantee a GDPR level of protection.
As a further remark, consistent with the Recommendations, the New SCC include obligations for the Importer should public authorities request access to the data transferred by the Exporter, and they also make mention of technical measures to be implemented, such as encryption and pseudonymization.
Against this backdrop, the final version of both the New SCC and the Recommendations should provide a clearer scenario than the one that followed the Schrems II judgment; that was characterized by great uncertainty, and during that time some National Data Protection Authorities (“NDPA”), including the German and the Belgian authorities, provided guidance on how to manage and assess data transfers to third countries.
As mentioned above, the New SCC confirm the approach adopted by the CJEU in the Schrems II judgment, requiring the parties to evaluate the adequacy of the New SCC to deal with the risks linked to the specific data transfers they handle. This means that any data transfer to a third country that is not covered by an adequacy decision of the EC makes it necessary not only to adopt an alternative measure under Article 46 of the GDPR, but also to assess the concrete possibility of ensuring an adequate level of safeguards through such a measure.
Firstly, this requirement tends to cover a very large number of data transfers, since there are currently only a few adequacy decisions, most of which concern countries that are not pivotal to the digital market network. Secondly, it seems to shift the responsibility for the adequacy assessment pursuant to Article 45 of the GDPR from the EC to the Exporter involved in the processing, which will necessarily work in concert with the Importer to carry it out. In light of this, although the introduction of such a requirement could be considered in line with the principle of accountability established by the GDPR, there is still a risk of imposing an unwieldy burden on the Exporter, with extremely significant impact both legally and economically.
Indeed, as a general rule, the GDPR has led to the controller having to undertake (preliminary) data processing impact assessments before the relevant processing. Nevertheless, in the context of data transfers to third countries, the adequacy evaluation should take into account extremely complex and variable elements, such as foreign local laws, and could be seen as a disproportionate implementation of the principle of accountability, requiring excessive and difficult effort from the parties involved in the transfer. This could even lead to the conclusion that the EC seems to require the Exporter to take its place in carrying out a case-by-case adequacy evaluation whenever the EC has not performed one under Article 46.
The New SCC cover different data transfer scenarios depending on the parties involved, meaning that the New SCC refer not only to controller-to-controller and controller-to-processor scenarios, but also to processor-to-processor (i.e., sub-processor) and processor-to-controller cases.
Among other news, it is worth mentioning that Recital No. 5 of the New SCC expressly refers to another EC draft implementing Decision on standard contractual clauses between controllers and processors located in the European Union for the matters referred to in sections 3 and 4 of Article 28 (“Article 28 SCC”) – meaning the content of the agreement regulating processing carried out by the processor on behalf of the controller. In fact, pursuant to Article 28.7, the EC may set forth standard contractual clauses in this regard that the controller may then decide to adopt.
The Article 28 SCC were open for public consultation through December 10, 2020, and they represent a further tool that the controller may choose to use to meet requirements under the GDPR. That said, although not mandatory, the Article 28 SCC could solidify specific requirements that controllers would have to keep at the forefront of their minds when drafting agreements regulating the processing carried out by the processors on their behalf.
Finally, the latest news on NDPA enforcement after the Schrems II judgment seems to suggest that NDPAs will proceed with careful verification of the legitimacy of data processing involving data transfers to third countries. Indeed, on December 10, 2020, the Swedish Data Protection Authority sanctioned Umeå University for processing special categories of personal data stored on a U.S.-based cloud without applying appropriate technical and organizational safeguard measures.