The EU Commission has published new standard contractual clauses (SCC). The SCCs may constitute an appropriate guarantee under the GDPR for the transfer of personal data to third countries. However, this does not mean that additional data security measures are automatically no longer necessary under the new SCCs, quite the contrary.
The EU’s new standard contractual clauses
Technically, data transfers appear to be quite simple thanks to cloud computing and other ways of transferring data, but legally it is a somewhat different story. Central to data protection when transferring personal data is the legal basis (May the data be transferred to third parties?) and the appropriate level of data protection (Is the data as well protected after the transfer as required by the General Data Protection Regulation (GDPR)?).
For a transfer of personal data to the U.S., as is well known, since the end of Privacy Shield there is no longer a valid adequacy decision of the EU Commission to rely on in order to prove an adequate level of data protection in the recipient third country.
The GDPR then provides (in Article 46 GDPR): In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards and if enforceable rights and effective remedies are available to data subjects.
This is where the standard contractual clauses, in particular, come into play, which was approved by the EU Commission after a review process. Although the previous standard contractual clauses (SCC) were not overturned in the so-called Schrems II ruling of the ECJ (European Court of Justice), it was made clear that even under the application of the SCC, further data protection measures may be necessary to ensure an adequate level of data protection.
The new standard contractual clauses
By early June 2021, the European Commission had adopted two new sets of standard contractual clauses, one set for data transfers between controllers and processors and one set for transfers of personal data to third countries.
The aim is to take into account the requirements of the General Data Protection Regulation (GDPR) and the “Schrems II” ruling of the European Court of Justice and to ensure a high level of data protection for citizens. The new instruments provide greater legal predictability for European businesses, helping SMEs in particular to ensure compliance with the requirements applicable to secure data transfers while enabling unhindered cross-border data transfers without legal barriers, the EU Commission said. The new standard contractual clauses also take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor.
Commission Vice-President Věra Jourová, responsible for values and transparency, said: “We want to remain open in Europe and allow free data flows, provided the data is protected in the process. The modernized standard contractual clauses will help achieve this goal. They provide companies with a useful tool to ensure that they comply with data protection rules, both in their activities in the EU and in international data transfers. This is a necessary solution in the connected digital world, where data can be transferred with just a click or two.”
EU Justice Commissioner Didier Reynders added: “In our modern world, it matters that data can be exchanged inside and outside the EU with the necessary protection. With these strengthened clauses, we are enabling companies to have more security and legal certainty in data transfers. Following the “Schrems II” ruling, it was our duty and priority to devise user-friendly instruments that companies can fully rely on. The new standard contractual clauses will greatly help companies comply with the GDPR.”
Most important innovations in the SCC
Innovations in the new standard contractual clauses include, in particular:
- An overarching set of tools covering a wide range of transfer scenarios, instead of separate clauses;
- A practical tool for complying with the “schrems ii” ruling; an overview of the various measures companies must take to comply with the “schrems ii” ruling; and examples of possible “additional measures” such as encryption that companies can take if necessary.
- A transition period of 18 months is provided for controllers and processors already using existing standard contractual clauses.
If you look closely, you will notice: the new sc cs do not make the additional measures for data protection superfluous, but they mention them explicitly and give examples. Additional data security measures may therefore still be necessary, even with the new SCCs.
What regulators are saying about the new SCCs
The Conference of Independent Data Protection Supervisors of the German Federal and State Governments (Datenschutzkonferenz, DSK) has commented accordingly. It points out that even if the new EU standard contractual clauses are used, an examination of the legal situation in the third country and additional supplementary measures are required.
The new standard contractual clauses have therefore not changed anything in terms of the obligations for companies. Rather, these now explicitly regulate the requirements that previously followed only from ECJ case law (clause 14), according to the regulators. This means that even when using the new clauses, the data exporter must check the legal situation and practice of the third country and, if necessary, take additional protective measures or, failing that, refrain from the transfer.
In its “Schrems II” ruling, the European Court of Justice had examined the level of data protection in the U.S. in detail and found it to be inadequate. In the case of data transfers to the USA, supplementary measures are therefore regularly required to prevent the US authorities from accessing the processed data. However, such measures are only conceivable for a few cases, as the data protection conference emphasizes.
The bottom line is that companies and other actors that transfer personal data to third countries must be able to demonstrate to the supervisory authority that they have conducted the assessment of the level of protection in the third country on a case-by-case basis and come to a positive conclusion, even when applying the new standard contractual clauses. The German supervisory authorities have begun consultations and audits on whether and how the requirements of the “Schrems II” ruling are being met.