Are the new SCCs sufficient after Schrems II ?

Draft new SCCs

On 12 November 2020, the European Commission published long awaited draft new Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries (i.e. outside the EEA). This document updates and restructures the previous SCCs published by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU). The draft is open to public consultation until 10 December 2020. Adoption of the final version of SCCs is expected early 2021.

New structure

The new SCCs are presented as a modular approach covering four different data transfer scenarios:

  • Controller to controller
  • Controller to processor
  • Processor to processor
  • Processor to controller

As expected, the SCCs now also cover the processor-to-processor and processor-to-controller transfers scenarios.

In addition, the SCCs are designed in a way allowing the parties to use them in a multi-party setting. Docking clause allows new parties to access the SCCs at any time by completing Annexes (i.e. list of Parties, description of the transfer(s) and technical and organisational measures).

The parties (i.e. the “data exporter” and the “data importer”) are also free to include those SCCs in a wider contract and to add other clauses or additional safeguards (not. via contractual commitments supplementing the SCCs) provided that they do not contradict, directly or indirectly, the SCCs.

… and new issues

Although their revision was already pending, the SCCs have been reviewed notably in the light of the Schrems II decision issued earlier this year by the CJEU.

International data transfer based on SCCs should only take place if the laws of the third country of destination do not prevent the data importer from complying with thoses clauses. Following the EDPB’s six steps roadmap, in performing this assessment, the Parties should take into account the specific circumstances of the transfer (e.g. the purpose of the transfer, the nature of the transfered data, the type of recipient, the duration of the contract, etc.), the laws of the third country of destination and the additional safeguards that could be taken (e.g. technical or organisational measures).

To ensure the effectiveness of SCCs, the importer shall, notably:

  • make its best efforts to provide the data exporter with all relevant information;
  • promptly notify the data exporter if it :
  • has reason to believe that it is or has become subject to laws not in line with the protection granted by GDPR,
  • receives a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data. Such notification shall include, at least, information about the personal data requested, the requesting authority, the legal basis for the request and the response provided,
  • becomes aware of any direct access by public authorities to transferred personal data. Such notification shall include all information available to the importer,
  • review, under the laws of the country of destination, the legality of such request for disclosure and to exhaust all available remedies to challenge the request if possible under applicable laws.

Are the new SCCs sufficient after Schrems II ?

Unfortunately, the answer is NO.

As a reminder, the transfer of data to a third country must be based on an appropriate data transfer mechanism amongst those listed in Chapter V GDPR, such as SCCs.

But the exporter shall first, following the EDPB’s six steps roadmap, assess whether the third country’s laws and practices provide an essentially equivalent level of protection to the EU. Whether or not data exporter can transfer personal data on the basis of SCCs will depend on the result of such assessment, taking into account the circumstances of the transfers, and supplementary measures that could be implemented.

If this assessment concludes that the laws of the third country encroaches on the effectiveness of the transfer tool (e.g. if Section 702 of FISA and/ or E.O. 12333 applies, for E.U.-US transfers), supplementary measure should be considered to ensure the required level of protection.

First, the new SCC’s do not include all the contractual measures suggested by the EDPB.

Then, contractual requirements do not appear to be self sufficient to guarantee the transferred data a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. For instance, surveillance programmes based on Section 702 of the FISA are secret. The importers who are subject to it (e.g. cloud-based services providers) are subject to a secrecy obligation regarding the acquisition requested by the US government, which prohibits the sending of a notification to the customers (e.g. the exporters). In such cases, only the implementation of technical measures (such as strong encryption) therefore appears to be effective.

Nevertheless, it is sometimes necessary for the importer to access the data in the clear (e.g. to properly provide the services requested by the exporter). The direct consequence could therefore be that in some cases the transfer of data to a country that does not provide for an equivalent level of protection would be impossible.


The assessment of the effectiveness of SCCs (which involves analysing the laws applicable in the importer’s country) is a complex task.

Parties should document such assessment and make it available to the competent data protection supervisory authority.

A maximum obligation of cooperation should be required from the importer (e.g. by inserting additional contractual measures).

Voir aussi : Lexing ( Ms. Fanny Coton ,  Mr. Thomas Espeel )


Click here to see the ad(s)
Tous les articles Pratiques de commerce

Derniers articles Pratiques de commerce

Prohibition of online advertising in a list of e-mails or messages – a misstep by the CJEU?

When submitted a request for a preliminary ruling, the Court of Justice of the European Union (CJEU) is expect to answer q...

Read more

Misbruik van economische afhankelijkheid: concrete toepassingen in de Rechtspraak

De B2B-wet (Wet van 4 april 2019 houdende wijziging van het Wetboek van Economisch Recht met betrekking tot misbruike...

Read more

Les délais de paiement entre professionnels: un comparatif franco-belge

La crise du coronavirus a incontestablement accentué les difficultés rencontrées par les entreprises,...

Les délais de paiement entre professionnels: un comparatif franco-belge Read more

Responsabilité du fait des produits défectueux

Consultation de la Commission sur l’adaptation des règles actuelles pour tenir compte de l’Intelligence...

Read more

Derniers articles de Ms. Fanny Coton

RGPD : consentement de l’enfant, comment procéder ?

Read more

Minorité digitale : interprétation très large du concept par l’APD

Le Règlement général sur la protection des données (RGPD) a introduit le concept de minorit&ea...

Read more

Envoi de newsletter : comment respecter le RGPD ?

Comment faire savoir que vous proposez un nouveau service ? (Par exemple que votre marchandise est disponible en ...

Read more

Comment réagir à une enquête de l’Autorité de protection des données?

ous venez de recevoir une demande de renseignement de l’APD. Celle-ci ne contient pas d’explication au suje...

Read more

Derniers articles de Mr. Thomas Espeel

(Rainy) Sky v. SkyKick : the CJEU opened its umbrella

On 29 January 2020, the CJEU handed its much anticipated decision in the referral from the English High Court in the &lsqu...

Read more

InfoSoc Directive : no digital exhaustion according to the ECJ

For the ECJ, the sale of second-hand e-books through a website constitutes a communication to the public that requires the...

Read more

RGPD et finalité du traitement : l’APD serre la vis !

Consacré dès 1981 (Convention 108), le principe de finalité est un principe angulaire de la protectio...

Read more

NIS Law: the new incident notification procedure

The law of 7 April 2019 (the ‘NIS law’) states that the Operators of Essential Services (OES) and th...

Read more

LexGO Network