Executive Summary: The European Commission (“the Commission”) issued its long-awaited draft implementing decision proposing its updated Standard Contractual Clauses (“Updated SCCs”) for data transfers between EU and third countries. This much-needed guidance follows the recent invalidation of the EU-US Privacy Shield and related guidance issued from the European Data Protection Board (“EDPB”).

Immediate Impacts: The Updated SCCs contemplate more realistic and complex chains of personal data transfers, such as from a processor to processor or processor to sub-processor. NOTE: Organizations relying on SCCs will be required to implement the Updated SCCs within one year of their approval.

Next Steps: The proposed changes will be open for public consultation until December 10, 2020, with final implementation expected in 2021.

1. Background

On November 12, 2020, the Commission issued its draft implementing decision proposing updates to the Updated SCCs for data transfers between EU and third countries that have no ‘adequacy decision’. This follows two related recommendations released this week by the EDPB, an EU body tasked with the application of the General Data Protection Regulation (“GDPR”), regarding additional safeguards to GDPR-approved transfer mechanisms and assessment of surveillance measures in third countries.

2. Summary of the Updated SCCs

Both the Commission’s draft implementing decision and the EDPB’s guidance seek to address issues stemming from the recent Schrems II decision from the Court of Justice of the European Union (“CJEU”), which invalidated the EU–U.S. Privacy Shield. More information on the Schrems II decision and its impacts is located here. Although the CJEU took issue with the Privacy Shield, it upheld the validity and continued use of the current SCCs. Many companies, however, preferred to legitimize their transfers through use of the Privacy Shield over SCCs, which were often regarded as narrow, inflexible, and complicated for large multinational organizations where personal data crosses and re-crosses borders regularly. Ostensibly, the Commission seeks to address these concerns with the proposed Updated SCCs.

The draft SCCs contained in the appendix are structured as four modules to address different data transfer arrangements, providing more granular options for contracting parties. The Updated SCCs also now contain an optional “Docking Clause,” whereby new parties may accede to the Updated SCCs at any time by way of executing a specific Annex. Further, the draft Updated SCCs include provisions to address requests from public authorities, which apply to all modules and require data importers to warrant that they have no reason to believe that the laws of the destination country “do not exceed what is necessary and proportionate” under the GDPR and would therefore prevent fulfilling obligations under the SCC. See Draft SCCs at cl. 2. Notably, the Commission’s draft implementing decision provides that SCCs should have specific safeguards, including “how to deal with binding requests from public authorities in the third country for disclosure of the personal data transferred.” See Draft Decision at para. 18.

3. Impacts to Organizations Relying on SCCs

The draft implementing decision would repeal the current SCCs and replace them with those contained in the Draft’s appendix (e.g., the Updated SCCs). To facilitate this transition, the draft decision includes a one-year grace period for organizations to continue to rely on the SCCs currently in use. As a result, organizations will need to thoughtfully assess their data transfer arrangements and replace their existing network of SCCs with the Updated SCCs.

4. Proposed Article 28 Clauses

In addition to the Updated SCCs, the Commission has also published draft SCCs between controllers and processors located in the EU. These contain clauses that a controller can impose on the processor to satisfy contractual requirements that the controller is obliged to impose under Article 28 of the GDPR. The use of the Commission-approved Article 28 Clauses will not be compulsory, and businesses may continue to use tailored data processing agreements between controllers and processors to satisfy their Article 28 requirements.

5. Expected Implementation

Draft implementing decisions generally require the Commission to consult with committees from every EU country. Prior to meeting with such committees, the Commission seeks input from citizens, organizations, and other stakeholders during a four-week window. For these proposals, the comment period runs until midnight in Brussels (GMT+1 / 6 PM EST) on December 10, 2020. Feedback can be submitted through the Commission’s page for the draft implementing decision. After this period ends, the implementing decision will continue through the EU’s committee procedure.

Baker Botts will continue to monitor this decision and any further revisions to the Updated SCCs, including the final version enacted. For more information, please contact the Baker Botts Privacy and Data Security team.

English versions of the draft implementing decision and the Updated SCCs are available here.

An English version of the Schrems II decision is available here.

English versions of the recent EDPB guidance on transfer tool compliance is available here.

An English version of the recent EDPB guidance on surveillance measures is available here.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.