On 12 November 2020, the European Commission (Commission) published a draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (GDPR) along with its draft set of new standard contractual clauses (the New SCCs).
Background: Restricted Transfers Under GDPR
The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA), with some exceptions. Individuals risk losing protection under the GDPR if their personal data is transferred outside of the EEA. The GDPR, therefore, restricts such transfers ('restricted transfers'), unless rights of individuals are protected in another way or an exception applies.
A restricted transfer can be made if it is necessary to meet your purposes and one of the following three conditions are satisfied:
1. If the country or territory where the data recipient is located, or the specific sector in that territory in which the data recipient operates, is subject to the Commission's 'adequacy decision'.
- This is a decision that the legal framework in a particular country or territory provides 'adequate' protection for individuals' rights and freedoms for their personal data.
- So far, the Commission has recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Adequacy talks are ongoing with South Korea.
2. If there is no relevant adequacy decision, but you have implemented one or more of the 'appropriate safeguards' listed in the GDPR. These safeguards are to ensure you and the recipient are legally required to protect individuals' rights and freedoms for their personal data. One example is that you and the data recipient based outside the EEA have entered into a contract incorporating standard data protection clauses adopted by the Commission (i.e., standard contractual clauses (SCCs)). The Commission has adopted four sets of SCCs under the GDPR. The draft Implementing Decision seeks to replace these with the New SCCs, which are annexed to the decision.
3. If your proposed restricted transfer is not covered by an adequacy decision nor appropriate safeguards, an exception in the GDPR applies. For example, there is an exception if the individual has given their explicit consent to the restricted transfer or it is necessary to perform a contract you have with the individual. Note, however, that relying on an exception is a last resort option.
The New Standard Contractual Clauses
The draft Implementing Decision explains that the SCCs previously adopted by the Commission needed to be updated and modernised due to new requirements in the GDPR and developments in the digital economy.
The New SCCs combine general clauses with a modular approach, to cater for various transfer scenarios and the complexity of modern data-processing chains. Controllers and processors should use the general clauses and, in addition, select the modules applicable to their situations. The modules vary based on the transfer scenario and designation of the parties under the GDPR and distinguish (1) controller-to-controller transfers; (2) controller-to-processor transfers; (3) processor-to-processor transfers; and (4) processor-to-controller transfers. This approach allows you to tailor your obligations to your corresponding role and responsibility in relation to the data processing at issue.
Other Key Features of the New SCCs
- It is possible for more than two parties to adhere to the New SCCs and additional parties can accede throughout the cycle of the contract.
- The New SCCs may be used for transfer of personal data to a sub-processor in a non-EEA country, subject to certain exceptions.
- With certain exceptions, data subjects should be able to invoke the New SCCs as third-party beneficiaries. This means that the law chosen as governing the contract must allow for third-party beneficiary rights.
- The New SCCs provide for rules on liability between the parties and with respect to data subjects and rules on indemnification between the parties.
- Where a data subject suffers damage as a consequence of breach of third-party beneficiary rights under the New SCCs, they would be entitled to compensation.
- The laws of the country of the recipient must not prevent you from complying with the New SCCs.
When Will the New SCCs Be Adopted?
The adoption process for the New SCCs requires an opinion of the European Data Protection Board and the positive vote of EU Member States through the comitology procedure (which requires the Commission to consult a committee in which each EU country is represented before it can adopt an implementing act). The final SCCs are expected to be adopted early this year.
Over the next few weeks, Katten will follow up with additional analysis on post-Brexit GDPR compliance. See our advisories, "Key Areas of Change to Data Protection Laws Post-Brexit" and "Data Protection Representatives and NIS Representatives," for more details.
Georgina Vale, a trainee solicitor in the Intellectual Property group, contributed to this advisory.