The long awaited new Standard Contractual Clauses (“SCCs”) which may be used to transfer personal data outside the European Economic Area (“EEA”) pursuant to art. 46 of the GDPR were adopted by the European Commission on June 4th. They are drafted using a modular approach, so can be applied to all kinds of personal data transfers (controller to controller, controller to processor, processor to controller processor to processor). They are also specifically drafted so they can be used as data processing agreements (controller to processor) pursuant to art. 28.
The new SCCs will come into effect on June 27, 2021. The previous SCCs can be used for “new” data transfers during a transition period of three months and also can be used for existing data transfers for up to 18 months.
The adoption of new SCCs, fully justified in any event by changes in technology and practices since the previous ones were issued, comes a little less than one year after the Schrems II judgment of the European Court of Justice (“ECJ”), which substantially toughened the obligations of the parties involved in transferring personal data outside the EEA. After months of uncertainty, the new SCCs do however shed light on some of the many doubts which the Schrems II judgment raised, and which were not completely resolved by the two sets of Recommendations of the European Data Protection Board (“EDPB”) published in November 2020 or by the Joint Opinion on the Commission draft Implementing Decision published by the EDPB and the and the European Data Protection Supervisor (“EDPS”) earlier this year.
The new SCCs confirm the need for a Transfer Impact Assessment
In the Schrems II judgment, the ECJ indicated that data exporters are responsible for assessing whether the laws and practice of the importing country impinge on the effectiveness of the appropriate safeguards provided by the Art. 46 tools, such as the SCCs. Where such safeguards are not guaranteed, the ECJ leaves open the possibility of nevertheless transferring the data where the exporter and importer adopt supplementary measures to fill the gap in protection. So let’s review the SCCs and in particular Section III concerning “Local laws and practices affecting compliance with the Clauses” and “Obligations of the data importer in case of access by public authorities”. Are they consistent with the Schrems II judgment and with Recommendations published by the EDPB?
First of all, it can be noted that the European Commission has drawn up the SCCs undoubtedly adopting the risk-based approach, which permeates the GDPR and has also guided the ECJ in defining the additional obligations related to the transfer of personal data to non-EEA countries, as well as, consequently, the EDPB in the drafting of the abovementioned Recommendations.
The new SCCs confirm in Section III the most important new feature concerning personal data transfers outside the EEA introduced by the ECJ in Schrems II, which is the need for the data exporter and data importer to carry out what has come to be known as a Transfer Impact Assessment in order to assess the risks of the transfer of personal data and, where necessary, define the supplementary measures whose implementation is necessary to adequately protect personal data.
In the first place, the SCCs clarify duties and responsibilities of the importer related to the carrying out of the Transfer Impact Assessment. The data exporter is by implication bound to draft the assessment but the data importer warrants that it has made its best efforts to provide the data exporter with relevant information and, jointly with the exporter, warrants that they have “no reason to believe” that the destination territory’s laws will cause the data importer to be unable to fulfill its commitments under the SCCs, both the importer and the exporter having assessed the specific circumstances of the transfer, the laws and practices of the third country of destination and any appropriate supplementary measure to be implemented. Therefore, the SCCs oblige the data importer to collaborate with the data exporter in carrying out the Transfer Impact Assessment, which is essential in order to meets the Schrems II requirements.
Secondly, the SCCs supplement what is established by the ECJ regarding what needs to be assessed by the parties, expressly specifying that the analysis of the circumstances of the transfer (“the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred”) must be taken into account for the purposes of the assessment. Therefore, it is clarified that the Transfer Impact Assessment is not an assessment of the third country regulations, detached from any reference to the specific case, but, on the contrary, it is an assessment that strongly depends on the concrete features of the specific transfer of personal data in question.
The specific circumstances of the transfer are also crucial to the choice of supplementary measures where the Transfer Impact Assessment finds that on their own, the combination of laws and practices of the destination country with the contractual, organizational and technical measures provided by the SCCs fails to guarantee an EU-equivalent level of protection of the personal data being transferred. Probably for this reason, the new SCCs shed no further light on what the supplementary measures should consist of, beyond making it clear that the technical and organization measures listed in Annex II are an exemplification of basic appropriate measures so any supplementary measures must be in addition to these.
So on this point, it will be necessary for the data exporter and the data importer to refer to the EDPB Recommendations 1/2020, which tried to clarify the doubts on the supplementary measures that must be applied to protect personal data transferred outside the EEA to countries whose public authorities’ powers of access to personal data are not limited to what is necessary and proportionate in a democratic society and where data subjects are not afforded effective redress, illustrating examples of supplementary measures that would or would not be effective in providing adequate protection. However, it should be noted that the final version of these Recommendations has not yet been published and it is unlikely that it will resolve the numerous doubts in specific situations leaving the parties with the heavy burden of identifying and implementing supplementary measures and assuming the responsibility of deciding whether they are adequate to grant EU-equivalent protection as required by Schrems II.
The situation after Schrems II is taking shape over time and the adoption of SCCs has been important in shedding some light, although in some cases they have had the opposite effect, in particular, there are questions about the correct interpretation of Recital 7 of the Implementing Decision.
That said, the SCCs have confirmed how Schrems II has burdened companies with onerous requirements, and in particular that of undertaking Transfer Impact Assessments and implementing supplementary measures, taking on themselves important risks, responsibilities, costs that many cannot afford. Is Europe on the right path? At the moment it is impossible to say; only time will give the answer.