The European Commission (the “Commission”) published its long-awaited draft proposal of Standard Contractual Clauses (“Proposed SCCs”) for data transfers between the European Union (“EU”) and third countries. This proposal follows the recent invalidation of the EU-US Privacy Shield and related guidance from the European Data Protection Board (“EDPB”). Organisations that rely on SCCs will be required to implement the Proposed SCCs within one year of their approval.
The General Data Protection Regulation (“GDPR”) permits a transfer of personal data of EU residents to a recipient outside of the EU only in specific cases, for example where the Commission has decided that the third country ensures an adequate level of protection of personal data. In the absence of such adequacy decision, a controller or processor must put in place appropriate safeguards when transferring personal data to a third country. An example for such safeguards are the standard data protection clauses (“SCCs”) adopted by the Commission in 2004 and 2010. These clauses seek to ensure appropriate data protection safeguards for international data transfers and can be included in a wider contract between data exporter and importer.
Summary of the Proposed SCCs
With the Proposed SCCs, the Commission aims to address issues stemming from the recent Schrems II decision from the Court of Justice of the European Union (“ECJ”), which invalidated the EU–U.S. Privacy Shield. More information on this decision can be found here. Aside from invalidating the Privacy Shield, the ECJ declared the current SCCs valid and a suitable legal basis for data transfers to third countries. The current form of SCCs, however, has often been regarded as too rigid and inflexible for large multinational organizations where personal data crosses and re-crosses borders regularly. The Proposed SCCs are structured as “modules” which permit the contracting parties to select those clauses tailored for their specific constellation (e.g. EU controller with non-EU processor, non-EU controller with EU processor, etc.).
The draft Proposed SCCs also include provisions to address requests from public authorities. Pursuant to these, the parties must warrant that they have no reason to believe that the laws of the destination country would prevent the data importer from fulfilling its obligations under these SCCs and that to their understanding these laws “do not exceed what is necessary and proportionate” under the GDPR. This includes specifically “requirements to disclose personal data or measures authorising access by public authorities”.
Consequences for Organizations Relying on SCCs
The draft proposal is currently open for feedback from the public until 10 December 2020. Afterwards, the implementing decision will continue through the EU’s committee procedure. Once implemented, the Proposed SCCs are going to repeal and replace the current SCCs. Organisations which currently rely on SCCs for data transfers will have a one-year grace period to replace their existing SCCs.
Data Transfer to Israel
At the moment, Israel has the status of an “adequate jurisdiction”, and as such organisations may freely transfer personal data from the EU to Israel without additional safeguards. This status, however, is currently under review. If at some point Israel should not be longer considered an adequate jurisdiction, organisations are most likely to turn to the SCCs as alternative legal basis for the transfer. It is still unclear, though, if the required assessment of the local law, also taking into account the ECJ’s case law and applicable guidance from the EDPB, would automatically lead to the conclusion that the laws “do not exceed what is necessary and proportionate”. It is expected that any decision from the Commission on this matter would include further guidance on this point.
As ever we are ready to assist with all your needs. Please don’t hesitate to contact us.