To help companies make this transition, and in response to Schrems II (2020) and GDPR (2016), the European Commission has decided to create new CLAs and repeal the old CCS as of 27 September 2021. For companies that joined the former CSCs before September 27, 2021, these former CCS will remain valid until December 27, 2022. So far, it has published two sets of standard contractual clauses for the transfer of data controllers in the EU to controllers based outside the EU or the European Economic Area (EEA). The new CBAs largely follow the draft Implementing Decision on Standard Contractual Clauses (draft CLAs) published by the European Commission on 12 November 2020, but there are some key differences. Indeed, the important and extensive new CCT requirements for data importers acting as controllers (e.B obligations to notify data subjects and report personal data breaches to EU authorities) remain in place, but have been more closely aligned with the requirements of the GDPR. [5] Unlike other frameworks for the transfer of personal data outside the EEA provided for in Articles 46 and 47 of the GDPR, such as Binding Corporate Rules (“BCRs”), approved codes of conduct and certification mechanisms, or ad hoc contractual clauses negotiated in private between controllers and/or processors. All of these mechanisms require or require the intervention of a regulatory authority or a certified/authorised third party to monitor and authorise the transfer of personal data outside the EEA. All new contracts must use the new standard contractual clauses after September 21, 2021. If, after this period, employers with employees in the EU provide data without adequate legal protection, they could face fines or legal proceedings.
The European Commission may decide that the standard contractual clauses provide sufficient safeguards for data protection so that data can be transferred internationally. [4] See Article 28(8) of the GDPR, which also allowed EU supervisory authorities to adopt standard contractual clauses for data protection authorities. See e.B. la FRANÇAIS CNIL (www.cnil.fr/fr/sous-traitance-exemple-de-clauses); spanish AEPD (www.aepd.es/sites/default/files/2019-10/guia-directrices-contratos.pdf). The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. Until recently, the two most commonly used mechanisms in the United States were the former CCAs and the EU-U.S. Privacy Shield Framework (the “Framework”). However, in July 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the data protection commission case against Facebook Ireland, Schrems (“Schrems II”), which invalidated the framework. The CJEU said that due to US surveillance laws, which allow excessive collection of personal data from the EU without taking into account the principles of proportionality, necessity and redress, the framework cannot provide protection essentially equivalent to the protection guaranteed in the EU.
Since then, Framework-certified companies have had to resort to other approved mechanisms, and parties relying on the former CLAs have had to reassess their compliance with these CLAs in the light of the Schrems II decision. This customer alert is intended to help explain the possible applications of these new standard contractual clauses. Modular approach: The Commission has adopted a modular approach to draft CCTs, which includes general conditions for all transfers and `modules` containing tailor-made clauses. The “modules” of the ScC design cover transfers: THE CTCs are available up to 10. December 2020 open for public consultation, and comments can be submitted here. The procedure for adopting the CBCs requires an opinion of the European Data Protection Board and the European Data Protection Supervisor, as well as a positive vote by the EU Member States under the comitology procedure. The final CSCs are expected to be adopted in early 2021. Standard contractual clauses for data transfers between EU and third countries.
The Decision on the new CBAs for the transfer of personal data to third countries provides for two transitional periods (or grace periods) to allow stakeholders to change their contractual framework. On the one hand, the standard contractual clauses for data protection authorities aim to provide an optional set of clauses that controllers and processors can use to perform contracts in accordance with Article 28 of the GDPR. However, each data protection authority is directly subject to Article 28 of the GDPR and does not require the use of clauses approved by the European Commission or EU supervisory authorities to be valid. In addition, many supervisory authorities have published and published similar models of data protection authorities to provide guidance to controllers and processors. [4] However, the standard contractual clauses for data protection authorities adopted by the European Commission may offer additional convenience to companies and organisations that process personal data across borders and cannot rely on the guidelines of their (lead) supervisory authority. Under the GDPR, the European Commission has the power to adopt implementing acts, in particular: (i) the creation of standard contractual clauses for data protection authorities between controllers and processors and between processors and sub-processors (Article 28(7) GDPR) and (ii) the creation of standard contractual clauses as appropriate protection for the transfer of personal data to third countries (Article 46(2)(a) GDPR). On 12 November 2020, the European Commission published the updated draft Standard Contractual Clauses (SCCs) for consultation (available here). The use of these standard contractual clauses for data protection authorities gives controllers and processors a certain additional degree of security with regard to their compliance with Article 28 of the GDPR, in particular vis-à-vis supervisory authorities or national courts in the event of disputes. Although data protection authorities that do not comply with the standard contractual clauses of the European Commission or supervisory authorities are not illegal per se, they are expected to be subject to scrutiny if they are the subject of disputes or fall within the authorities` line of sight.