New Draft Standard Contractual Clauses for Personal Data Transfers Outside EEA and Domestic Controller to Processor Relationships

On 12 November 2020, the European Commission published two draft implementing decisions: (1) one containing a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the SCCs), and (2) one containing a draft of new standard contractual clauses for controller-processor data processing agreements (DPAs) pursuant to Article 28(7) of the GDPR. The new SCCs are awaited particularly after the Court of Justice of the European Union declared invalid the EU-U.S. Privacy Shield in its Schrems II ruling in July 2020, although it remains uncertain whether such new SCCs will be able to overcome the incompatible legislation in states where the data are imported (such as the U.S. legislation allowing for broad surveillance of electronic communication without appropriate privacy safeguards for European data subjects).

Citizens and other stakeholders have until 10 December 2020 to provide feedback on the above-mentioned draft implementing decisions. After this date, the relevant committee will vote to accept or reject the draft decisions.

The published draft implementing decision on SCCs includes inter alia the Annex containing the actual clauses which follows a modular approach to cater to various cross-border transfer scenarios. Parties to a transfer outside the EU may base their personal data transfer on the general clauses and the respective module applicable to their processing situation at issue.

The new clauses can be used for the transfer of personal data (1) from controllers in the EU to controllers in a third country, (2) from controllers in the EU to processors in a third country, (3) from processors in the EU to a sub-processor in a third country, (4) from controllers located in a third country subject to the GDPR to processors outside the territorial scope of application of the GDPR, and (5) from processors located in a third country subject to the GDPR to sub-processors outside the territorial scope the GDPR.

The proposed SCCs are issued under the GDPR. Their coverage is wider than that of the old SCCs, since the new clauses cover additional processing and transfer situations and use a more flexible approach, for example, with respect to the number of parties able to join the contract.

The new clauses do not relieve the parties to the processing arrangement from assessing and addressing the likely consequences of the third country’s laws. In effect, the new SCCs require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice.

The SCCs newly require that data subjects be provided with a copy of the new clauses upon request and are informed, in particular, of (a) any change of purpose of personal data processing and of (b) the identity of any third party to which the personal data will be disclosed. The SCCs also newly (1) provide that any onward transfer by the data importer to a recipient in another third country requires that either such recipient joins the SCCs or the data subject gives explicit, informed consent; (2) describe in more detail the liability between the parties and towards the data subjects and the indemnification obligations between the parties to the transfer; (3) cover specific processing situations such as the merger of non-GDPR personal data with GDPR personal data by a data processor; (4) explicitly require a sub-processor to ensure compliance with the instructions of both the processor and the controller, etc.

The European Commission separately proposed certain standard contractual clauses to be used between controllers and processors, as part of a DPA. These SCCs are the Commission’s response to Article 28(7) of the GDPR, which allows the European Commission to “lay down standard contractual clauses” for the contractual safeguards required by Article 28(3) and (4) of the GDPR when a data controller engages a data processor to carry out specific processing activities on its behalf. The European Commission has set forth these new SCCs for DPAs to standardize the data protection-related rights and obligations of the respective parties even for transfers that do not cross the EEA borders.