Earlier this month, the European Commission announced that it has adopted “two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries.” The new SCCs take into account new requirements under the General Data Protection Regulation as well as the Court of Justice’s Schrems II opinion.
The Commission previously issued drafts of these documents. The Commission stated that the final documents take into account comments made by various stakeholders, including the joint opinion of the European Data Protection Board and European Data Protection Supervisor.
The new documents will require extensive analysis over the coming weeks. That said, for U.S. entities, one footnote that will likely draw much discussion in light of the Schrems II decision is footnote 12 in the standard contractual clauses for international transfers. That footnote is found in Section III, Clause 14 (Local law and practices affecting compliance with the Clauses). The corresponding text states that:
The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular to the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards [footnote 12];
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
Footnote 12 explains:
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
The allowance for parties to take into account “practical experience” when analyzing the legality of data transfers is a concession to business interests who had argued that a risk-based approach was consistent with GDPR. It also contrasts the EDPB’s recommendations for a pure objective analysis.
It also is worth noting that the Implementing Decision affirms that the parties are “free to include [the] standard contractual clauses in a wider contract and to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.”
As noted, more detailed analysis will be required over the coming weeks as covered entities look to take the necessary steps to drive compliance with these new documents.