In an extended awaited determination, the European Commission (“Fee’) adopted two new sets of standard contractual clauses (“SCCs”) to mirror the EU’s Basic Information Safety Regulation (“EU GDPR”) and ‘the realities confronted by trendy enterprise’ (see the Commission’s press release). These change the present SCCs that have been adopted over 10 years in the past underneath the, now repealed, Information Safety Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as offering corporations with ‘extra security and authorized certainty’ and as being ‘consumer pleasant instruments’.
You will need to be aware that the brand new set of SCCs is considerably completely different than the earlier set. For instance, as an alternative of specializing in the standing of the events as “controller” or “processor”, the brand new SCCs give attention to the placement of the events, no matter standing. It is a vital departure from the prior kind.
The 2 units of SCCs are (i) to be used between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Each can be utilized as of 27 June 2021. Word that the impact of Brexit has added
What are the important thing takeaways?
- There at the moment are authorised SCCs for intra-EU agreements underneath Article 28. As a consequence, there’s now a “protected harbor” to make sure all of an entity’s processor (Article 28) agreements are compliant. This didn’t exist beforehand.
- The SCCs have a ‘modular strategy’, enabling a number of events to hitch and use them. Moreover, now there’ll now solely be a necessity for one settlement addressing each Article 28 and Article 46 necessities. Till the brand new SCCs got here out, there was a necessity for a special settlement for every of the 2 Articles.
- The SCCs account for the Schrems II determination, which in 2020 thought of the validity of the earlier SCCs in relation to worldwide transfers. The SCCs define the steps that knowledge controllers/processors should comply with to adjust to the choice and supply doable supplementary measures that may be taken, if vital (e.g. encryption, pseudonyms).
- As a part of the Schrems II consideration, each knowledge exporters and importers should warrant that they’ve carried out a neighborhood regulation evaluation (i.e. referring to the jurisdiction that can obtain the information) and that they don’t have any cause to imagine that native legal guidelines/practices would forestall the importer from complying with its obligations underneath the SCCs.
- There’s an 18 month transition interval for controllers and processors to replace the present SCCs of their contracts, intra-group switch agreements and many others. It is a welcome enchancment on the 12 month interval recommended within the November drafts. The earlier SCCs can nonetheless be included in new contracts till 27 September 2021, however these contracts will then have to be up to date inside the transition interval.
The brand new SCCs have made some vital modifications in how you can implement, and the way laborious it’s to implement, the clauses. The earlier SCCs have been pretty easy to implement – you simply stuffed out the blanks within the applicable kind (i.e. controller-to-controller, or controller-to-processor) and also you have been finished. The brand new SCCs should not as straightforward an train. Whereas the unique knowledge flows underneath the unique SCCs are nonetheless current, the brand new SCCs acknowledge that companies companies within the EU shouldn’t be overlooked of the pondering of the SCCs. And contemplating the processor within the EU working with international (e.g. US) knowledge shouldn’t impose the GDPR on completely non-EU knowledge, we now have “processor to sub-processor” and “processor to controller” modules.
Along with the assorted modules, there are embedded “choices” within the numerous modules as properly (e.g. Clause 13). It is a considerably new format, and one which would require authorized counsel to find out which module to make use of.
Together with the counsel wanted to determine simply which modules and choices to make use of within the SCCs, the Schrems II concerns additionally now demand a a lot larger stage of authorized work as a part of the execution of the SCCs. Now, events should undertake a authorized analysis of whether or not or not there are native regulation points which could make the enforcement of the SCCs provisions (together with enforcement by 3d celebration beneficiaries) problematic. This analysis must be documented, and this documentation must be in a kind that’s obtainable to a supervisory authority ought to they request it. This implies the documentation can’t be hidden away underneath attorney-client confidentiality guidelines. It’s going to have to be obtainable to a public authority.
There are a selection of different tactical modifications, a few of that are welcome (e.g. how you can cope with normal authorizations of sub-processors) and a few of that are much less so (e.g. having to determine a particular supervisory authority the place the importer doesn’t have an EU Consultant). Nonetheless, these may have considerably much less of a “value to implement” than the brand new structural and analytical necessities.
How does this have an effect on transfers with the UK?
The SCCs should not relevant to the UK GDPR. Nonetheless, the UK’s Information Commissioner’s Office (“ICO”) has stated it is going to consider recognizing the SCCs as a legitimate switch mechanism underneath the UK GDPR. In any occasion, the ICO is planning to propose, and consult on, bespoke UK SCCs for worldwide transfers later this yr. That being stated, it’s doable that the popularity of EU SCCs shall be a contingency on the UK retaining its adequacy determination, which is at present underneath scrutiny. Additionally, the ICO has already adopted the use of the prior SCCs as a part of the Brexit package deal. It could comply with that the UK would have some form of recognition of the EU SCCs, even in mild of the UK’s promulgating their very own. That is much like the best way the Swiss and the EU have managed interoperability between every of their very own SCCs.