INTRODUCTION TO THE REVISED STANDARD CONTRACTUAL CLAUSES
On June 4th 2021, The European Commission (EC) published the final version of the Implementing Decision on Standard Contractual Clauses (SCCs) for transfer of personal data to third countries as well as the new Standard Contractual Clauses themselves. This has been published under the General Data Protection Regulation (GDPR) in the European Union (EU) after finetuning the draft versions that were released back in November 2020. The EC describes this version of the SCCs as a way to provide European businesses wanting to share data to third countries with better “legal certainty”.
You may also like: Anonymisation and Pseudonymisation under GDPR
Data protection has become increasingly important, especially in these times where technology is booming, and all kinds of data are readily available to anybody with the technical know-how and a decent internet connection. The need for the revision arose right after the Schrems v. Facebook case where the European Court of Justice asked policymakers to completely suspend those overseas data transfers where the third countries cannot meet the data protection requirements. This particular case rose to prominence after the European Court of Justice ordered the striking down of the EU-US data transfer agreement after concerns over the US surveillance laws providing little to no remedy to protect the data of EU citizens.
The draft SCCs that came out in November 2020 was already considered to be very robust, and are very similar to the final version that has been released now. One of the only differences between the two is the transitional period for businesses to comply with the new regulations has been extended, much to the relief of all concerned parties. Organisations can start implementing the SCCs from the 27th of June. Whereas, data importers and exporters can continue with the existing SCCs for another 3 months from the date of commencement. They also have an 18th month period starting from June 27th of this year to make sure all the contracts comply with the final version of the SCCs.
By implementing this version of the SCCs, businesses receive a lot more flexibility because of the ability to add additional protection depending on the nature of each case. However, this provision for flexibility might have the potential to backfire considering the fact that the requirement to evaluate the extent of risk involved in a data transfer on a case-by-case basis would make the provisions very time-consuming, not to mention expensive to implement. Peter Church, a technology lawyer from Linklaters, aptly commented on this in an article where he said:
“This is going to be a difficult and expensive exercise as some local law enforcement and national security laws are complex and obscure. It is not clear how small and medium-sized enterprises can comply with this obligation in a meaningful way.”
We can clearly understand from statements like this that the implementation of the SCCs will lead to so much more paperwork for companies in general. Another very important point to note is that implementation of the SCCs within all European Businesses will not address the problem that was discussed in the Schrems case. The EC and the European Court of Justice have no jurisdiction over the US laws that allow intelligence agencies to access even the private data of citizens in other countries. With this being said, it is fairly clear that there are apprehensions towards the new SCCs with regards to whether or not they are a sufficient mechanism to promote data privacy in the way that it claims. Whether these apprehensions are justified and if there will be a need for additional safeguarding measures cannot be determined.
As of now, the revised SCCs will come into effect 20 days after the publication in the Official Journal of the EU. Three months after the said publication, companies will no longer rely on the older, repealed SCCs for the transfer of data.