On November 12, 2020, the European Commission (‘EC’) delivered on their promise of releasing an amended and Schrems II proof version of the draft Standard Contractual Clauses (‘SCCs’) which are currently open for consultation till December 10, 2020. The draft SCCs have been framed keeping in mind the change in data transfers across the European Union (‘EU’) border. The SCCs have been for some time now one of the most recognised international data transfer mechanisms. However, the Schrems II judgment brought their adequacy into question, especially since the judgment invalidated the privacy shield arrangement. In this alert, we provide a brief of what the draft SCCs will entail while also momentarily delving into some of the changes which have been brought by the draft SCCs.
1. The Draft SCCs – What has changed?
The draft SCCs specifically focus on the high level of protection that will need to be brought about under the General Data Protection Regulation (‘GDPR’) in the background of the Schrems II judgment. The EC in the draft implementing decision states that controllers and processors will have 1 (one) year for the transition into the new draft SCCs. Since the current SCCs were brought into force before the GDPR, the new draft SCCs will be able to converge data subject rights requirements and also all achieving the adequate level of data protection that was enumerated in the Schrems II decision. No, each party would be required to carry out a risk assessment which shall be in an exposition of the following:
a) The circumstances of the data transfer;
b) The laws of the destination/third country keeping in mind the circumstances of data transfer; and
c) Supplemental measures that may need to be applied for the data transfers, in order to ensure that transfers of personal data are subject to all safeguards.
Since the role of the SCCs is limited to ensure appropriate safeguards in data transfers, controllers and processors are encouraged to include other clauses also in data transfer contracts, provided that they are not in contradiction of the SCCs. This essentially means that the new draft SCCs meet the requirement under Article 28 of the GDPR. Now, parties that are making use of the new draft SCCs will not require a data protection agreement. Interestingly, the EC in the draft implementing decision approach a more flexible attribute of data transfers and also states that the draft SCCs may be used by controllers or processors which are not established in the EU. Moreover, data subjects have now been provided rights that can be enforced more broadly against both the data exporter and the data importer.
2. Division into Modules
The draft SCCs has adopted a modular approach so as to ease the process of data transfers for controllers and processors. The draft SCCs have been divided into 4 (four) modules, (a) transfer controller to controller; (b) transfer controller to processor; (c) transfer processor to processor; and (d) transfer processor to controller. Such a modular approach provides for transfers that were previously not envisioned by the previous SCCs, such as processor to processor transfers. The obligations of the parties will also now defer, depending upon the course of data transfer (eg. controller to controller).
2. Onward Transfer Restrictions
The new draft SCCs provide for strict measures regarding onward transfers by data importers to third countries. Such cases of onward transfer include: a) when the third party becomes a party to the SCCs; b) the third party has a commitment towards appropriate safeguard measures; c) the third country should be a country benefitting from the adequacy decision by the EC; and d) the third party must sign an agreement ensuring data protection as envisaged by the SCCs.
2. Schrems II Impact
The adequacy of the level of protection, stemming out of the Schrems II decision, have also been re-organised in the new draft SCCs. Previously, the parties had to warrant for the fact that there is no reason to believe that the domestic laws of the data importer, specifically any obligations to share data of EU citizens with that of national agencies, will have any impact or restriction on the importer from fulfilling its obligations under the SCCs. Now, this provision has been made more specific to include that the parties to data transfer must ‘declare’ that they have taken into account the laws of the importing country, and if the laws are not adequate, the parties must suspend the agreement of data transfer. Additionally, the importer must also furnish relevant information to the exporter, and if the importer is aware that the obligations under the SCCs cannot be fulfilled, the importer must immediately inform the exporter. The parties then can take additional measures to provide appropriate safeguards and must inform the Data Protection Authority (‘DPA’) on how they are continuing the process of data transfer. Moreover, if data importers receive any request for access from government agencies then the data importer is immediately required to notify the exporter. The importer should use its best efforts to obtain a waiver from any government requests of access and must keep information on the file for the DPA.
BlockSuits Comments
The new draft SCCs are expected to take effect during early 2021. Hence, companies should now prepare for the transition into the new draft SCCs and notify the destination country or data importers of the updated provisions. The 1 (one) year transition period will definitely assist companies to formulate additional safeguards for ensuring the level of protection required by the GDPR. While companies can rely on the old SCCs during the transition period, it is best if they are augmented and familiarised with the new draft SCCs. We at BlockSuits will also be publishing an alert once the consultation period has ended, regarding prospective measures to take into account while in the transition period.
Authored by Shivani Agarwal, Founder, and Samaksh Khanna, Co-founder.
コメント