The European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020.  The guidance addresses both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”).

International SCCs

The International SCCs will replace the existing SCCs companies have used to transfer personal data from within the EEA to organizations in non-EEA countries not deemed to provide an adequate level of protection for data of EU residents. In the wake of the invalidation of the EU-U.S. Privacy Shield in the Court of Justice of the European Union’s (the “CJEU’s”) Schrems II judgment, most organizations will need to rely on the International SCCs to lawfully transfer data under the General Data Protection Regulation (“GDPR”).

EDPB and EDPS welcome provisions in the draft international SCCs that address issues identified in the Schrems II judgment.  They do, however, suggest improvements or clarification of certain provisions. The EDPB and EDPS suggestions include:

  • Additional clarity about what is required of data exporters in assessing the amount of access a public authority has to data the importer receives;
  • Clarifying that the subjective likelihood of public authority access to personal data should not be considered as part of the assessment, and that the assessment should be based on objective factors; and
  • Emphasis on the need for controllers to consider the EDPB’s recommendations on supplementary measures alongside the SCCs. They invite the European Commission to include an explicit reference to the final version of these recommendations if they are adopted before the European Commission’s SCC decision.

The joint opinions indicate that the EDPB and EDPS expect that data exporters and importers will conduct a detailed analysis of all transfers made by their organizations, examining the legal safeguards they have implemented and the role of the exporter and the importer in the processing of relevant data.  The comments note that it is of the “utmost importance” that the SCCs clearly establish the roles and responsibilities of each party with respect to each transfer or set of transfers.

EEA Controller-Processor SCCs

In a press release issued by the EDPB and EDPS, EDPB Chair Andrea Jelinek welcomed the EEA Controller-Processor SCCs as an EU-wide mechanism that provides legal certainty and helps organizations comply with the GDPR. The EDPB and EDPS ask the European Commission to clarify the circumstances in which the SCCs may be used.

They also suggest a draft of further amendments to better align the SCCs with the GDPR and ensure that they are practical.  The comments focus on the need for clarity about whether the SCCs can support transfers to parties subject to the GDPR but outside the EU as well as intra-EU transfers; recommendations that SCCs be deemed appropriate for transfers to processors not subject to the GDPR but located in jurisdictions found adequate by the European Commission; and the need for clarity about the interplay between the EEA Controller-Processor SCCs and the International SCCs.

The opinion on the EEA Controller-Processor SCCs is available here. The opinion on the International SCCs can be viewed here.