On November 12,2020, the European Commission has released a draft Implementing Decision on Standard Contractual Clauses (the SCCs) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, along with its draft set of new SCCs.
This draft SCCs is the natural continuation of the recent landmark ruling by the Court of Justice of the European Union (CJEU) on the transfer of personal data outside European Economic Area (EEA) in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II).
According to chapter V of the General Data Protection Regulation (GDPR), the transfer of personal data out of the EEA to a third country or international organization can take place only if, subject to the other provisions of GDPR, the conditions laid down are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization.
The condition most often relied upon to legitimize the international transfer of personal data is namely the use of the SCCs. However, when the GDPR came into force the existing SCCs did not get updated and so still refer to the old EU Data Protection Directive rather than the GDPR.
The draft Implementing Decision outlines the role of the new SCCs, namely, to ensure appropriate data protection safeguards for international data transfers. Therefore, the purpose of these SCCs is to ensure compliance with the requirements of GDPR [for the transfer of personal data to a third country].
The first thing we notice is that the scope of the new SCCs was expanded, and now it covers all the transfer scenarios, being
- controller to controller (see Module one of the draft SCCs);
- controller to processor (see Module two of the draft SCCs);
- processor to processor (see Module three of the draft SCCs), as well as
- processor to controller (see Module four of the SCCs).
Furthermore, the new SCCs do not require the data exporter to be established in the EEA, thus non-EEA entities can also sign the SCCs as data exporters. This provides a solution for non-EEA controllers and processors who transfer EEA data to other non-EEA third parties.
Finally, the new SCCs comprise more detailed liability provisions than are currently set out in the SCCs. They envisage joint and several liability where more than one party is responsible for any damage caused to the data subject resulting from a breach of the SCCs. Nevertheless, the SCCs liability provisions do not mention any potential to cap liability between the parties.
The European Commission’s feedback procedure is open until December 10, 2020.
If you are interested in submitting a response, you can do it within the feedback period by visiting HERE