Are the new SCCs sufficient after Schrems II ?
07/12/2020

Draft new SCCs

On 12 November 2020, the European Commission published long awaited draft new Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries (i.e. outside the EEA). This document updates and restructures the previous SCCs published by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU). The draft is open to public consultation until 10 December 2020. Adoption of the final version of SCCs is expected early 2021.

New structure

The new SCCs are presented as a modular approach covering four different data transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

As expected, the SCCs now also cover the processor-to-processor and processor-to-controller transfers scenarios.

In addition, the SCCs are designed in a way allowing the parties to use them in a multi-party setting. Docking clause allows new parties to access the SCCs at any time by completing Annexes (i.e. list of Parties, description of the transfer(s) and technical and organisational measures).

The parties (i.e. the “data exporter” and the “data importer”) are also free to include those SCCs in a wider contract and to add other clauses or additional safeguards (not. via contractual commitments supplementing the SCCs) provided that they do not contradict, directly or indirectly, the SCCs.

… and new issues

Although their revision was already pending, the SCCs have been reviewed notably in the light of the Schrems II decision issued earlier this year by the CJEU.

International data transfer based on SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with thoses clauses. Following the EDPB’s six steps roadmap, in performing this assessment, the Parties should take into account the specific circumstances of the transfer (e.g. the purpose of the transfer, the nature of the transfered data, the type of recipient, the duration of the contract, etc.), the laws of the third country of destination and the additional safeguards that could be taken (e.g. technical or organisational measures).

To ensure the effectiveness of SCCs, the importer shall, notably:

  • make its best efforts to provide the data exporter with all relevant information;
  • promptly notify the data exporter if it :
  • has reason to believe that it is or has become subject to laws not in line with the protection granted by GDPR,
  • receives a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data. Such notification shall include, at least, information about the personal data requested, the requesting authority, the legal basis for the request and the response provided,
  • becomes aware of any direct access by public authorities to transferred personal data. Such notification shall include all information available to the importer,
  • review, under the laws of the country of destination, the legality of such request for disclosure and to exhaust all available remedies to challenge the request if possible under applicable laws.

Are the new SCCs sufficient after Schrems II ?

Unfortunately, the answer is NO.

As a reminder, the transfer of data to a third country must be based on an appropriate data transfer mechanism amongst those listed in Chapter V GDPR, such as SCCs.

But the exporter shall first, following the EDPB’s six steps roadmap, assess whether the third country’s laws and practices provide an essentially equivalent level of protection to the EU. Whether or not data exporter can transfer personal data on the basis of SCCs will depend on the result of such assessment, taking into account the circumstances of the transfers, and supplementary measures that could be implemented.

If this assessment concludes that the laws of the third country encroaches on the effectiveness of the transfer tool (e.g. if Section 702 of FISA and/ or E.O. 12333 applies, for E.U.-US transfers), supplementary measure should be considered to ensure the required level of protection.

First, the new SCC’s do not include all the contractual measures suggested by the EDPB.

Then, contractual requirements do not appear to be self sufficient to guarantee the transferred data a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. For instance, surveillance programmes based on Section 702 of the FISA are secret. The importers who are subject to it (e.g. cloud-based services providers) are subject to a secrecy obligation regarding the acquisition requested by the US government, which prohibits the sending of a notification to the customers (e.g. the exporters). In such cases, only the implementation of technical measures (such as strong encryption) therefore appears to be effective.

Nevertheless, it is sometimes necessary for the importer to access the data in the clear (e.g. to properly provide the services requested by the exporter). The direct consequence could therefore be that in some cases the transfer of data to a country that does not provide for an equivalent level of protection would be impossible.

 

The assessment of the effectiveness of SCCs (which involves analysing the laws applicable in the importer’s country) is a complex task.

Parties should document such assessment and make it available to the competent data protection supervisory authority.

A maximum obligation of cooperation should be required from the importer (e.g. by inserting additional contractual measures).

Related : Lexing ( Ms. Fanny Coton ,  Mr. Thomas Espeel )

[+ http://www.lexing.be]

Ms. Fanny Coton Ms. Fanny Coton
Avocat
[email protected]
Mr. Thomas Espeel Mr. Thomas Espeel
Avocat
[email protected]

Click here to see the ad(s)
All articles Commercial practices

Lastest articles Commercial practices

Professional seller vs. specialised seller: what’s in a name?
22/04/2021

On 15 January 2021, the Belgian Supreme Court (Hof van Cassatie / Cour de Cassation) overruled a decision of the Antwerp C...

Read more

Impact of the new rules on unfair terms in B2B agreements on general terms and conditions
10/03/2021

The Law of 4 April 2019 introduced new mandatory rules that intend to procure that the key terms of contracts between unde...

Read more

What is drop-shipping and how does it differ from a market place?
05/03/2021

In recent years, the practice of drop-shipping has intensified by taking advantage of the boom in e-commerce. While this w...

Read more

New B2B law: insurance sector in the clear?
01/03/2021

The Law of 4 April 2019 (the “B2B Law”)(1) introduced new mandatory rules that intend to procure that the...

Read more

Lastest articles by Ms. Fanny Coton

RGPD : consentement de l’enfant, comment procéder ?
30/03/2021

Read more

Minorité digitale : interprétation très large du concept par l’APD
26/03/2021

Le Règlement général sur la protection des données (RGPD) a introduit le concept de minorit&ea...

Read more

Envoi de newsletter : comment respecter le RGPD ?
24/02/2021

Comment faire savoir que vous proposez un nouveau service ? (Par exemple que votre marchandise est disponible en ...

Read more

Comment réagir à une enquête de l’Autorité de protection des données?
17/02/2021

ous venez de recevoir une demande de renseignement de l’APD. Celle-ci ne contient pas d’explication au suje...

Read more

Lastest articles by Mr. Thomas Espeel

(Rainy) Sky v. SkyKick : the CJEU opened its umbrella
12/02/2020

On 29 January 2020, the CJEU handed its much anticipated decision in the referral from the English High Court in the &lsqu...

Read more

InfoSoc Directive : no digital exhaustion according to the ECJ
30/01/2020

For the ECJ, the sale of second-hand e-books through a website constitutes a communication to the public that requires the...

Read more

RGPD et finalité du traitement : l’APD serre la vis !
19/12/2019

Consacré dès 1981 (Convention 108), le principe de finalité est un principe angulaire de la protectio...

Read more

NIS Law: the new incident notification procedure
22/08/2019

The law of 7 April 2019 (the ‘NIS law’) states that the Operators of Essential Services (OES) and th...

Read more

LexGO Network