Nov 132020

European Commission Proposes Revised Standard Contractual Clauses

William RM Long and Francesca Blythe
, , , , , , ,

The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision

Under the draft SCCs (set out in the Annex of the EC’s Draft) a data importer must agree to comply with various data protection obligations reflecting principles in the GDPR relating to (i) purpose limitation; (ii) transparency by providing data subjects with details of the identity of the data importer and third parties; (iii) accuracy and data minimisation; (iv) storage limitation; and (v) information security. In relation to special categories of personal data (e.g., data concerning health) the data importer must agree to apply additional safeguards adapted to the specific nature of the data and the risks. In relation to onward transfers, the data importer must not disclose personal data to a third party located outside the EU unless the third party agrees to be bound by the SCCs or another onward data transfer solution as set out in the draft SCCs applies. The exporter must warrant it has used reasonable efforts to determine that the data importer is able to satisfy its obligations under the SCCs.

The draft SCCs “combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains.” In particular, unlike the existing SCCs, the draft SCCs address transfers of personal data from either a controller or a processor in the EEA to a controller, processor or sub-processor in a third country. It will be for the parties to select the module applicable to the specific transfer, in addition to the general clauses which apply to all parties irrespective of role. The Modules are as follows: Module 1 – controller to controller transfers; Module 2 – controller to processor transfers; Module 3 – processor to processor transfers; and Module 4 – processor to controller transfers.

The draft SCCs are intended to also satisfy the requirements of Article 28(3) of the GDPR (i.e., the mandatory data processing provisions) where the draft SCCs are entered into by a controller in the EEA and a processor in a third country – provided they are not amended. Indeed, Annex II of the draft SCCs includes prescriptive examples of the technical and organisational measures to be implemented by the (sub) processor – i.e., in line with the recent draft guidance published by the EDPB on controllers and processors which requires that details on the specific security measures be included in the data processing agreement. The EC’s Draft also makes clear that draft SCCs are intended for multiple parties (i.e., not just one exporter and one importer), and additional parties are permitted to accede to the draft SCCs (for example, in the case of onward transfers) by virtue of what is referred to as a “docking clause”. The draft SCCs also expressly acknowledge the potential for incorporating the SCCs into a wider agreement (e.g., a Master Services Agreement), but provide that in the event of a conflict, the SCCs shall prevail.

In line with the CJEU’s ruling and the draft recommendations published by the EDPB, the EC’s Draft reiterates that transfers of personal data under the SCCs should only take place if the recipient third country’s laws do not prevent the data importer from complying with the SCCs. In turn, the EC’s Draft encourages parties to “provide additional safeguards via contractual commitments that supplement the [SCCs],” and emphasises the need for parties to be able to demonstrate compliance with the SCCs. In particular, the EC’s Draft requires the data importer to “keep appropriate documentation for the processing activities under its responsibility, and to promptly inform the data exporter if it is unable to comply with the [SCCs], for whatever reason.”

Importantly, the EC’s Draft provides that parties can continue to rely on the existing SCCs for a period of one year from the date of entry into force of the EC’s Draft, provided supplementary measures are implemented as necessary (i.e., in accordance with the EDPB’s draft recommendations). In turn, companies relying on the existing SCCs to legitimise their international transfers will have just one year from the date of approval to migrate to the draft SCCs – a potentially very large administrative burden for companies and something which should be considered now as part of their broader Schrems II project.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.