The European Commission has drafted amendments to the adequacy decisions that underpin the European Union’s Standard Contractual Clauses (“SCCs”) that allow businesses to transfer personal data originating in the European Economic Area (“EEA”) outside of the EEA. While the Commission has not published the full text of its proposals, they may have a significant practical impact on all businesses that rely on SCCs for international data transfers, including to the United States.
The legal basis for both the Data Controller-to-Data Controller SCCs and the Data Controller-to-Data Processor SCCs are adequacy decision 2001/497/EC and adequacy decision 2010/87/EC respectively. A committee of representatives of Member States met to discuss the draft amendments to these decisions on 3 October 2016 (though a record of its proceedings has only just been published.) The Commission has also proposed amendments to the adequacy decisions that treat certain non-EEA countries as providing adequate legal protection for personal data (so-called “white-listed” countries to which personal data may be freely transferred). However, no decisions were taken at the meeting because certain Member State representatives asked for more time to consider the proposals. The Article 29 Working Party has also been asked for its views on the proposals.
With respect to the SCC adequacy decisions, the Commission is proposing amendments in order to — in its words — “cure the illegality that follows from the findings in the Court of Justice’s Schrems ruling.” These findings were that the Commission in its (now invalidated) Safe Harbor adequacy decision improperly imposed limits on the powers of national Data Protection Authorities to suspend and prohibit international data flows. Specifically, in the Commission’s view, “a comparable provision restricting the powers of DPAs is present in the SCCs [adequacy] decisions.” Accordingly, “the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.”
There are at least three potential consequences from these developments:
- First, it is not clear whether the Commission is only proposing amendments to the SCC adequacy decisions, or also to the terms of the associated SCCs themselves. The latter is likely, since amending the decisions without amending the SCCs would leave questions open. If the SCCs will also be amended, there is no indication as yet that existing SCCs will be grandfathered in. If there is no grandfathering, businesses that have SCCs in place based on the existing form may need to amend them to reflect, or enter into, the new form of SCCs. This may be burdensome as, among other things, it will require complying with any local requirements (like filings and registrations) in specific Member States. The proceedings do not indicate whether the Commission is considering a grace period in enforcement to allow time to make these changes, as it did in for onward transfer provisions in third-party contracts in the Privacy Shield and the Article 29 Working Party did for new data transfer mechanisms after the invalidation of the Safe Harbor framework.
- Second, the Commission’s view that the two SCC adequacy decisions suffer from the same “illegality” as the Safe Harbor adequacy decision may have relevance for ongoing litigation in Ireland where the validity of the SCC adequacy decisions are under challenge on similar grounds (though that case also involves questions concerning remedies available in relation to U.S. government surveillance).
- Finally, it appears that the main change that the Commission is proposing to the SCC adequacy decisions is to “remove” any restrictions that limit the ability of DPAs to suspend or prohibit data flows. It remains to be seen whether, in practice, particular DPAs, such as those in Germany, will be more willing to prohibit or suspend international data flows under the amended SCC adequacy decisions than under the current SCC adequacy decisions.