Draft SCC Released by European Commission

Saturday, November 14, 2020

Following on from this week’s huge announcement by the European Information Safety Board (EDPB) on its expectations for worldwide information transfers after the European Court docket of Justice’s July 16 Schrems II determination, the European Fee launched a draft set of latest Customary Contractual Clauses (SCCs) and a draft implementing determination. The Fee’s draft set of clauses permits for 2 new varieties of switch (EU-based processor to ex-EU processor, and EU-based processor to ex-EU-controller) and accommodates necessary updates to convey the textual content of the clauses in keeping with the Common Information Safety Regulation (GDPR). The draft clauses will probably be topic to session with the EDPB, and there are a couple of factors of potential disagreement between the Fee’s draft and the EDPB’s steering.

New Switch Eventualities

The Customary Contractual Clauses accepted by the Fee in 2001 and 2010 solely addressed two information circulation situations: an EU-based controller exporting information outdoors of the EU to different controllers, or to processors. On this new draft, the Fee departs from that method and addresses a spot which incessantly occurred in apply: permitting for EU processors to function information exporters to controllers and processors outdoors of the EU. The entire situations permitted by the brand new contract kind are specified by a collection of “modules,” with usually relevant clauses included earlier than and after the extra particular sections.

This brings welcomed flexibility, and acknowledges the truth that EU-based processors incessantly export private information to non-EU sub-processors (who don’t at present have a passable authorized mechanism to cowl these transfers) and displays the expanded territorial scope of the GDPR. It creates a pathway for controllers outdoors of the EU to work with processors positioned within the EU on tasks involving EU information. For instance, a U.S. firm may retain the companies of an EU-based name heart to reply to buyer queries arising from gross sales made within the EU. The brand new SCCs kinds for a processor-controller switch would enable that decision heart to share buyer information with its U.S.-based consumer. That decision heart may now additionally sub-contract its work to an overflow name heart outdoors the EU, utilizing the processor-processor kind.

From a structural perspective, the brand new SCCs additionally present a mechanism for added events to accede to the clauses as information exporter or information importer – one thing which is usually carried out underneath the present SCCs by utilizing a wraparound framework information switch settlement which contains the SCCs.

Rigidity with the EDPB?

Given the timing of the 2 bulletins, it’s not possible to learn the Fee’s draft with out considering of the EDPB’s six-step course of for evaluating information transfers. There does seem like some potential disagreement concerning the method controllers are anticipated to take. Each the Fee and the EDPB embody an inventory of things information importers should contemplate when figuring out whether or not native regulation permits them to adjust to their obligations underneath the SCCs, however the lists are usually not the identical. The Fee seems to allow information importers to contemplate the sensible probability of presidency entry by permitting analysis of “related sensible expertise indicating the existence or absence of prior situations of requests for disclosure from public authorities acquired by the information importer for the kind of information transferred.” The EDPB, alternatively, warned information importers away from “subjective” concerns, together with “the probability of public authorities’ entry to your information in a way not in keeping with EU requirements.” Nonetheless, each paperwork be aware that the analysis should embody all legal guidelines “relevant” to the information importer.

One-Cease (Contract) Store

The Fee famous that it believes its proposed clauses not solely fulfill the necessities of Article 46 (customary contractual clauses for worldwide transfers), however — when utilized by an EU controller with a processor — additionally fulfill Article 28. Article 28 particulars the necessities for controller-processor contracts usually (no matter whether or not private information is exported outdoors the EEA), and these obligations are sometimes the topic of negotiation between enterprise entities. The Article 28 features of the draft SCCs are comparatively “naked bones” and could also be favored by processors who don’t want to comply with bespoke obligations for every controller they work with. The comparatively minimalist method is considerably at odds with the method taken by the EDPB in its current steering on controllers and processors (see “New Pointers on Information Controllers and Processors: Time to Assessment Information-Processing Agreements”), which said that whereas the Article 28 obligations represent the core content material of a knowledge processing settlement, they don’t seem to be enough in themselves and ought to be supplemented by detailed provisions which set out the respective obligations of controllers and processors. In no less than one occasion, the draft phrases attain “enterprise” points not normally addressed by regulators, and apportion the associated fee for information safety audits between the events. The Fee’s be aware does point out that use of the SCCs for Article 28 functions shouldn’t be required and the events can complement these provisions with further phrases.

The place Do We Go From Right here?

The draft paperwork at the moment are accessible for public session, and each the EDPB and the European Information Safety Supervisor will probably be requested for his or her opinions on the paperwork. The suggestions acquired throughout this course of may result in additional adjustments to the construction and content material of the paperwork. As soon as in closing kind, the choice and clauses will should be formally adopted by the Fee to be efficient and accessible to firms to be used. Luckily, the draft Fee determination gives a one yr transitional interval. Present contracts utilizing the outdated SCC kinds will stay efficient throughout this era, offered the contract is in any other case unchanged. As soon as contracts are revised or up to date, nonetheless, the brand new clauses ought to be carried out. Whereas that is useful respiration house, this week’s mixed developments imply that worldwide information transfers will probably be excessive on the compliance agenda for the rest of 2020 and a key precedence for 2021.

Following the Schrems II determination, many organizations have been ready for steering on further safeguards and for the (lengthy overdue) arrival of up to date Customary Contractual Clauses. Whereas the previous couple of days have seen some welcome developments after a interval of hiatus, organizations will probably want a while to evaluate the sensible implications earlier than making radical adjustments to worldwide information switch preparations.

View the draft Customary Contractual Clauses.