The European Commission has just published a consultation draft of the long-promised updated version of the Standard Contractual Clauses (SCCs). The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as "third countries"). In a nutshell, the new SCCs have finally caught up with the GDPR, which came into effect nearly two and a half years ago. Once the Commission formally adopts the new SCCs, organizations will have a one-year grace period to transition from the old SCCs to the new SCCs.
Why are the SCCs important?
Most US companies that receive European personal data are aware that the GDPR prohibits the transfer of personal data from the EEA to "third countries" that don't have the benefit of a Commission "adequacy decision" (currently only 12 countries have one) unless
- one of the Commission-approved data transfer mechanisms (such as the SCCs) is in place, or
- an express GDPR Art. 49 exception applies – but these exceptions are heavily circumscribed by stringent guidance issued by the European Data Protection Board and are of very limited use.
Given that we are still waiting for the new, additional data transfer mechanisms anticipated by the GDPR, such as Commission-approved privacy certifications and codes of conduct, the SCCs play a fundamental role in making personal data transfers from Europe legal. In many data transfer situations, the SCCs are the only viable option, so the long delay in bringing the SCCs in line with the GDPR has created unnecessary obstacles to optimal GDPR compliance. In particular, the lack of SCCs covering transfers by processors to their controllers outside of the EEA has caused significant consternation.
What's new (and improved)?
The new SCCs represent a vast improvement over the current SCCs, which were last updated in 2004 (for controller-to-controller transfers) and 2010 (for controller-to-processor transfers). The new SCCs are modular in nature, covering the following data transfer situations:
- Controller to Controller
- Controller to Processor
- Processor to Controller (NEW!)
- Processor to Processor (NEW!)
By providing for processor-to-controller and processor-to-processor transfers, the Commission has plugged one of the most significant gaps in the EU's approved data transfer mechanism. Among other industries, the pharmaceutical industry will welcome the new flexibility: US (and other third country) clinical trial sponsors that are not established in Europe will soon be able to use the SCCs to cover routine transfers of EU clinical study data from their European CROs (which are processors).
There are additional improvements over the old SCCs:
- The new SCCs modules that involve processors also cover the requirements of GDPR Article 28, which specifies a list of items that must be addressed in a written contract whenever a controller uses a processor to do anything with personal data. That will significantly streamline controller-processor contracting.
- The new SCCs have been carefully drafted to help the parties address the concerns raised by the EU Court of Justice in its July 2020 Schrems II decision. That decision cast doubt on the lawfulness of transferring personal data from the EU to the US – and incidentally also raised the bar for many other countries. (Click here for a summary of that case.) The due diligence and disclosures required by the new SCC provisions initially may seem disproportionate to companies that believe their personal data transfers face no risk - or an essentially hypothetical and extremely low risk - of access by their country's intelligence agencies. However, the recently published draft guidance of the European Data Protection Board (summary available here) makes it clear that US companies (and others) are required to perform a painstaking assessment of that risk and adopt mitigating measures.
- The new SCCs spell out the controller's and processor's obligations clearly. In several instances, the English-language version of the new SCCs is clearer than the English-language version of the GDPR itself. US companies that have limited familiarity with the GDPR – for example, companies that receive EU personal data yet do not themselves fall under the GDPR's territorial jurisdiction – will find it easier to understand their concrete obligations under the SCCs. The clarity of the new SCCs is a significant improvement compared to the vague contractual wave of the hand at the GDPR that is a feature of many agreements involving EU personal data.
Unsurprisingly, the new SCCs have a few drafting glitches that hopefully will be cleaned up during the consultation process. The most interesting discrepancy – which may not turn out to be a drafting glitch – has to do with the specific phrasing used to describe when genetic data qualifies as "special category" (often called sensitive) personal data. However, we do not expect significant changes to the drafts published by the Commission.
The Commission has invited comments on the SCCs until December 10, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.