European Commission publishes revised Standard Contractual Clauses for consultation
On 12 November, the European Commission published for consultation its long awaited revised draft Standard Contractual Clauses (SCCs). On 16 July, the Court of Justice of the European Union ruled that the EU-US Privacy Shield is invalid. Since then, and with immediate effect, (and while winning Data Protection Authorities’ acceptance of an application for Binding Corporate Rules remains a time-consuming and expensive option), SCCs are the main legal tool available for transferring personal data from the European Economic Area to third countries without adequacy status.
As a consequence, there was an urgent need for the European Commission to draft revised SCCs to enable for them to be used in more circumstances. The new version comes in two documents, of 9 and 29 pages, which include the following provisions:
The rationale for the revised SCC is that “important developments have taken place in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships. This calls for a modernisation of the standard contractual clauses to better reflect those realities, by covering additional processing and transfer situations and to use a more flexible approach, for example with respect to the number of parties able to join the contract.”
Flexibility: “These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies…., [for] data transfers from controllers to processors and/or processors to processors … This does not prevent the Parties from including the standard contractual clauses laid down in [these] Clauses in a wider contract, and to add other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.”
Information to data subjects: “Those responsibilities include among other responsibilities, the obligation of the controller to provide data subjects with information about the fact that it intends to transfer personal data to a third country.”
More than two parties to the contract: “The standard contractual clauses set out in the Annex to this Decision combine general clauses with a modular approach to cater for various transfer scenarios and the complexity of modern processing chains. In addition to the general clauses, controllers and processors should select the module applicable to their situation, which makes it possible to tailor their obligations under the standard contractual clauses to their corresponding role[s] and responsibilities in relation to the data processing at issue. It should be possible for more than two parties to adhere to the standard contractual clauses.
Onward transfers: “Onward transfers by the data importer to a recipient in another third country should be allowed only if such recipient accedes to the standard contractual clauses, if the continuity of protection is ensured otherwise or on the basis of the explicit, informed consent of the data subject.”
Data subjects’ rights: “…data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses as third-party beneficiaries ... the data subject should be able to lodge a complaint with the competent supervisory authority or refer the dispute to the competent courts in the EU.”
Jurisdiction: “… the data importer should be required to submit to the jurisdiction of such authority and courts and to commit to abide by any binding decision under the applicable Member State law.”
Collective/Class action: “… data subjects should be allowed to be represented by associations or other bodies in disputes against the data importer if they so wish and if authorised by national law.”
Liability and compensation: “The standard contractual clauses should provide for rules on liability between the parties and with respect to data subjects, as well as rules on indemnification between the parties. Where the data subject suffers material or non-material damage as a consequence of any breach of the third party beneficiary rights under the standard contractual clauses, he or she should be entitled to compensation.”
Audits: “The standard contractual clauses should require the data importer to make available all information necessary to demonstrate compliance with the obligations set out in the clauses and to allow for and contribute to audits of its processing activities by the data exporter.”
The consultation period closes on 10 December.
Source information: European Commission