The CJEU’s long-awaited Schrems II decision of 16 July 2020, raised important questions on the validity of data processing activities involving the transfer of personal data outside the EEA. In its decision, the CJEU did not only invalidate the Privacy Shield, it also concluded that relying on the standard contractual clauses (SCCs) (like other approved transfer mechanisms under article 46 GDPR) are no longer sufficient to comply with Chapter V GDPR. Additionally, companies must assess on a case-by-case basis whether the level of protection on the data following the transfer, is essentially equivalent to, and does not undermine, the level of protection guaranteed to data subjects under EU data protection law.
SCCs as transfer mechanism
Particularly regarding standard contractual clauses (article 46.2 GDPR), the CJEU stated that due to their inherently contractual nature, they cannot bind the public authorities of third countries. It may therefore be necessary to supplement the guarantees contained in those standard contractual clauses in order to assure a level of protection that is essentially equivalent to that of the EU.
EDPB’s recommendations on supplementary measures
To provide companies with guidance on these supplementary measures, the EDPB adopted on 10 November 2020 its Recommendations 01/2020 on measures that supplement transfer mechanisms to ensure compliance with the EU level of protection of personal data. More information on these recommendations can be found here.
The EC’s Draft SCCs
On 12 November 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries, with the proposed draft text of those standard contractual clauses (Draft SCCs). The Draft SCCs would repeal the existing SCCs (dating from 2001, 2004 and 2010) and would introduce one set of modular SCCs, useable in the four different scenarios or “modules” (either controller to controller, controller to processor, processor to processor, or processor to controller). More information on the Draft SCCs can be found here.
EDPB and EDPS’s Joint Opinion on Draft SCCs
It is in the context of the Draft SCCs that the EDPB and EDPS published their Joint Opinion on the newly proposed modular SCCs of the European Commission.
Some general takeaways based on the Joint Opinion:
- The Draft SCCs take into account the evolved data protection landscape. As already mentioned above, they foresee a modular approach covering four scenarios. Moreover, not only do the Draft SCCs go further than the standard “controller to controller” and “controller to processor” relationship, they also acknowledge that these days many operations, including personal data streams, involve multiple data importers and data exporters. The fact that several (e. more than two) parties can easily join the Draft SCCs therefore demonstrates the more flexible approach the European Commission wanted to achieve. Currently, the existing SCCs are often not fit for purpose, leaving companies in uncertainty on whether, and how, to rely on SCCs.
- The Joint Opinion acknowledges that the Draft SCCs include specific provisions addressing some of the issues that were identified in the Schrems II decision. In particular, the third country’s laws affecting compliance with the SCCs (Section II – Clause 2), the access requests received by the data importer and issued by third country’s public authorities (Section II – Clause 3), and optional ad-hoc redress mechanism to the benefit of data subjects (Section II – Clause 6) are addressed in the Draft SCCs.
- Regarding supplementary measures, the EDPB and EDPS acknowledge that the Draft SCCs include several measures which were also identified in the EDPB recommendations on supplementary measures. However, for some measures, the EDPB and EDPS are of the opinion that more consistency is needed. The uncoordinated time frame within which the different bodies (EDPB and EC) published their input after Schrems II, may be the cause of the observed level of inconsistency between the EDPB recommendations on supplementary measures on the one hand, and the Draft SCCs on the other hand. Hence and in general, the EDPB and EDPS recall that the EDPB Recommendations will remain relevant and applicable after the adoption of the Draft SCCs.
The Joint Opinion emphasizes that the new SCCs will have to be used with the EDPB Recommendations on supplementary measures. The EDPB and EDPS, therefore, encourage the EC to clarify in the final SCCs that there may still be situations where, despite the use of the new SCCs, ad-hoc supplementary measures will remain necessary to be implemented in order to ensure that data subjects are afforded a level of protection that is, essentially, equivalent to that guaranteed within the EU.
It remains to be seen to what extent this Joint Opinion will have been taken into account in the final SCCs, which we expect to be issued soon.