By now, you can't have missed that the European Commission published two sets of new 'standard contractual clauses' (SCC) last week. They have now been published formally meaning that the existing international EU SCC can be used until 27 September 2021 and companies have until 27 December 2022 to move existing international EU SCC over.
Setting the baseline for immediate confusion by calling both documents the same thing even though they are in fact different, privacy practitioners shrugged this off and proceeded to spend last weekend reading through them.
We all appreciated it was a difficult exercise for the European Commission to draft these but surely, now we have them, all companies have to do is simply replace any existing SCC being used and move to the new set for transfers from now on, right? Wrong. Very wrong.
Below is a list of just some of the complicated questions to work through on the international transfer SCC and, to give you a sense of how they work, attached is a diagram we have prepared for those who prefer something more visual.
- Do you always need SCC to transfer personal data out of the EEA (other than where there are binding corporate rules, adequacy ruling etc)? No, you might not if the entity you are transferring to is already subject to GDPR for that processing, so that analysis will need to be done before you start and parties could have different opinions on this. It is far from an easy question.
- Do the new SCC now solve the 'Schrems issue' around concerns about transfers overseas? No, they contain a new warranty that assessments have been done regarding the transfer and are kept up to date and that will need to be done.
- Does the law of the exporting country apply? No, there is apparently more flexibility to choose a country in the EU but also, at the same time, organisations are told they can't select one which doesn't give third party rights for beneficiaries. Of course most organisations won't be in a position to know which those countries are or indeed to decide whether, say, Belgian law is a better bet for potential law enforcement issues and fairer legal interpretations of "reasonableness" etc than Poland.
- Will the UK just be wrapped into this to be treated in the same way as the EEA? We don't know yet since we are waiting for the ICO's proposed new 'SCC' and also the UK/EU adequacy ruling. But you also end up looping back around to the first question above again in terms of whether transfers to or from the UK are subject to UK GDPR and/or EU GDPR anyway. Feeling dizzy yet?
- Aside from the above, are they basically the same though? Nope. There are 4 modules and various new obligations including needing to put a lot more detail in the annexes around technical and organisational measures and special category data safeguards and additional points around transparency which will have companies worrying about constantly having to update their privacy policies.
- But I won't need another contract in addition to the SCC anymore, will I? The SCC do incorporate Article 28 provisions now so there is no need for a separate DPA at least which is welcome. However, take a look at the C2C modules and it doesn't go into the detail that would be required to clarify whether parties are joint or separate controllers and additional requirements needed there around data sharing. Parties may also continue to want to have additional contractual provisions around liability and otherwise.