This submit was initially posted on The Global Privacy Watch weblog.
In an extended awaited choice, the European Commission (“Fee’) adopted two new sets of standard contractual clauses (“SCCs”) to mirror the EU’s Basic Knowledge Safety Regulation (“EU GDPR”) and ‘the realities confronted by trendy enterprise’ (see the Commission’s press release). These exchange the present SCCs that had been adopted over 10 years in the past underneath the, now repealed, Knowledge Safety Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as offering firms with ‘extra security and authorized certainty’ and as being ‘consumer pleasant instruments’.
You will need to notice that the brand new set of SCCs is considerably totally different than the earlier set. For instance, as a substitute of specializing in the standing of the events as “controller” or “processor,” the brand new SCCs give attention to the placement of the events, no matter standing. It is a vital departure from the prior kind.
The 2 units of SCCs are (i) to be used between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Each can be utilized as of 27 June 2021. Observe that the impact of Brexit has added
What are the important thing takeaways?
- There at the moment are authorized SCCs for intra-EU agreements underneath Article 28. As a consequence, there’s now a “secure harbor” to make sure all of an entity’s processor (Article 28) agreements are compliant. This didn’t exist beforehand.
- The SCCs have a ‘modular method’, enabling a number of events to affix and use them. Moreover, now there’ll now solely be a necessity for one settlement addressing each Article 28 and Article 46 necessities. Till the brand new SCCs got here out, there was a necessity for a distinct settlement for every of the 2 Articles.
- The SCCs account for the Schrems II choice, which in 2020 thought of the validity of the earlier SCCs in relation to worldwide transfers. The SCCs define the steps that information controllers/processors should comply with to adjust to the choice and supply doable supplementary measures that may be taken, if needed (e.g. encryption, pseudonyms).
- As a part of the Schrems II consideration, each information exporters and importers should warrant that they’ve carried out a neighborhood legislation evaluation (i.e. regarding the jurisdiction that may obtain the info) and that they don’t have any cause to imagine that native legal guidelines/practices would stop the importer from complying with its obligations underneath the SCCs.
- There may be an 18 month transition interval for controllers and processors to replace the present SCCs of their contracts, intra-group switch agreements and so on. It is a welcome enchancment on the 12 month interval urged within the November drafts. The earlier SCCs can nonetheless be included in new contracts till 27 September 2021, however these contracts will then must be up to date throughout the transition interval.
The brand new SCCs have made some vital adjustments in the right way to implement, and the way arduous it’s to implement, the clauses. The earlier SCCs had been pretty easy to implement – you simply crammed out the blanks within the applicable kind (i.e. controller-to-controller, or controller-to-processor) and also you had been finished. The brand new SCCs aren’t as simple an train. Whereas the unique information flows underneath the unique SCCs are nonetheless current, the brand new SCCs acknowledge that providers companies within the EU shouldn’t be overlooked of the considering of the SCCs. And contemplating the processor within the EU working with overseas (e.g. US) information shouldn’t impose the GDPR on completely non-EU information, we now have “processor to sub-processor” and “processor to controller” modules.
Along with the assorted modules, there are embedded “choices” within the numerous modules as properly (e.g. Clause 13). It is a considerably new format, and one which would require authorized counsel to find out which module to make use of.
Together with the counsel wanted to determine simply which modules and choices to make use of within the SCCs, the Schrems II issues additionally now demand a a lot greater stage of authorized work as a part of the execution of the SCCs. Now, events need to undertake a authorized analysis of whether or not or not there are native legislation points which could make the enforcement of the SCCs provisions (together with enforcement by 3d occasion beneficiaries) problematic. This analysis must be documented, and this documentation must be in a kind that’s accessible to a supervisory authority ought to they request it. This implies the documentation can’t be hidden away underneath attorney-client confidentiality guidelines. It can must be accessible to a public authority.
There are a selection of different tactical adjustments, a few of that are welcome (e.g. the right way to cope with normal authorizations of sub-processors) and a few of that are much less so (e.g. having to establish a selected supervisory authority the place the importer doesn’t have an EU Consultant). Nevertheless, these could have considerably much less of a “value to implement” than the brand new structural and analytical necessities.
How does this have an effect on transfers with the UK?
The SCCs aren’t relevant to the UK GDPR. Nevertheless, the UK’s Information Commissioner’s Office (“ICO”) has mentioned it’ll consider recognizing the SCCs as a sound switch mechanism underneath the UK GDPR. In any occasion, the ICO is planning to propose, and consult on, bespoke UK SCCs for worldwide transfers later this 12 months. That being mentioned, it’s doable that the popularity of EU SCCs shall be a contingency on the UK retaining its adequacy choice, which is at the moment underneath scrutiny. Additionally, the ICO has already adopted the use of the prior SCCs as a part of the Brexit bundle. It will comply with that the UK would have some kind of recognition of the EU SCCs, even in gentle of the UK’s promulgating their very own. That is much like the best way the Swiss and the EU have managed interoperability between every of their very own SCCs.