On January 15, 2020, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, both for international transfers (“International SCCs”) and for controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”).
Once finalized, the International SCCs will replace the existing sets of SCCs, which were drafted under the Data Protection Directive, for transfers of personal data from within the EEA to organizations in non-EEA countries that have not been recognized as providing an adequate level of data protection. In those cases, the EU General Data Protection Regulation (“GDPR”) requires that a transfer mechanism be implemented. In the wake of the invalidation of the Privacy Shield in the Court of Justice of the European Union’s (the “CJEU”) Schrems II judgment, the majority of organizations will need to rely on the International SCCs to legitimize their transfers.
In a press release issued by the EDPB and EDPS, the EDPB Chair, Andrea Jelinek, commented that the EEA Controller-Processor SCCs were welcomed as a strong, EU-wide accountability tool to facilitate compliance with the GDPR, providing legal certainty to controllers and processors. The Chair requested, however, that sufficient clarity be provided as to the situations where these SCCs may be relied on. Several amendments also have been requested to provide clarity and ensure that the drafts operate practically, including with respect to the “docking clause” that allows new parties to accede to the SCCs. The bodies also requested clarifications with respect to the SCCs’ Annexes, and the roles and responsibilities that should be allocated to controllers and processors therein. The EDPS, Wojciech Wiewiórowski, stated that the aim should be to make the documents as future-proof as possible.
With respect to the International SCCs, the bodies stated that they welcomed the specific provisions intended to address issues identified in the Schrems II judgment, but several provisions could be improved or clarified, such as the SCCs’ scope; certain third party beneficiary rights; certain obligations regarding onward transfers; aspects of the assessment of third country laws regarding data access by public authorities; and the notification to supervisory authorities. The EDPB also highlighted the need for controllers to consider its Recommendations on supplementary measures alongside the SCCs and invited the European Commission to refer to the final version of these recommendations if they are adopted before the European Commission’s SCC decision.