Are the new SCCs sufficient after Schrems II ?

Draft new SCCs

On 12 November 2020, the European Commission published long awaited draft new Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries (i.e. outside the EEA). This document updates and restructures the previous SCCs published by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU). The draft is open to public consultation until 10 December 2020. Adoption of the final version of SCCs is expected early 2021.

New structure

The new SCCs are presented as a modular approach covering four different data transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

As expected, the SCCs now also cover the processor-to-processor and processor-to-controller transfers scenarios.

In addition, the SCCs are designed in a way allowing the parties to use them in a multi-party setting. Docking clause allows new parties to access the SCCs at any time by completing Annexes (i.e. list of Parties, description of the transfer(s) and technical and organisational measures).

The parties (i.e. the “data exporter” and the “data importer”) are also free to include those SCCs in a wider contract and to add other clauses or additional safeguards (not. via contractual commitments supplementing the SCCs) provided that they do not contradict, directly or indirectly, the SCCs.

… and new issues

Although their revision was already pending, the SCCs have been reviewed notably in the light of the Schrems II decision issued earlier this year by the CJEU.

International data transfer based on SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with thoses clauses. Following the EDPB’s six steps roadmap, in performing this assessment, the Parties should take into account the specific circumstances of the transfer (e.g. the purpose of the transfer, the nature of the transfered data, the type of recipient, the duration of the contract, etc.), the laws of the third country of destination and the additional safeguards that could be taken (e.g. technical or organisational measures).

To ensure the effectiveness of SCCs, the importer shall, notably:

  • make its best efforts to provide the data exporter with all relevant information;
  • promptly notify the data exporter if it :
  • has reason to believe that it is or has become subject to laws not in line with the protection granted by GDPR,
  • receives a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data. Such notification shall include, at least, information about the personal data requested, the requesting authority, the legal basis for the request and the response provided,
  • becomes aware of any direct access by public authorities to transferred personal data. Such notification shall include all information available to the importer,
  • review, under the laws of the country of destination, the legality of such request for disclosure and to exhaust all available remedies to challenge the request if possible under applicable laws.

Are the new SCCs sufficient after Schrems II ?

Unfortunately, the answer is NO.

As a reminder, the transfer of data to a third country must be based on an appropriate data transfer mechanism amongst those listed in Chapter V GDPR, such as SCCs.

But the exporter shall first, following the EDPB’s six steps roadmap, assess whether the third country’s laws and practices provide an essentially equivalent level of protection to the EU. Whether or not data exporter can transfer personal data on the basis of SCCs will depend on the result of such assessment, taking into account the circumstances of the transfers, and supplementary measures that could be implemented.

If this assessment concludes that the laws of the third country encroaches on the effectiveness of the transfer tool (e.g. if Section 702 of FISA and/ or E.O. 12333 applies, for E.U.-US transfers), supplementary measure should be considered to ensure the required level of protection.

First, the new SCC’s do not include all the contractual measures suggested by the EDPB.

Then, contractual requirements do not appear to be self sufficient to guarantee the transferred data a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. For instance, surveillance programmes based on Section 702 of the FISA are secret. The importers who are subject to it (e.g. cloud-based services providers) are subject to a secrecy obligation regarding the acquisition requested by the US government, which prohibits the sending of a notification to the customers (e.g. the exporters). In such cases, only the implementation of technical measures (such as strong encryption) therefore appears to be effective.

Nevertheless, it is sometimes necessary for the importer to access the data in the clear (e.g. to properly provide the services requested by the exporter). The direct consequence could therefore be that in some cases the transfer of data to a country that does not provide for an equivalent level of protection would be impossible.

The assessment of the effectiveness of SCCs (which involves analysing the laws applicable in the importer’s country) is a complex task.

Parties should document such assessment and make it available to the competent data protection supervisory authority.

A maximum obligation of cooperation should be required from the importer (e.g. by inserting additional contractual measures).