Since the General Data Protection Regulation (GDPR) entered into force, discussions on third country data transfers have considerably increased. As data flows build a cornerstone of Europe’s modern and globalized economy, the role of tools transferring personal data to third countries, such as adequacy decisions like privacy shield or standard contractual clauses, becomes more and more important. At a recent event, Commissioner Věra Jourová reemphasized the importance of third country transfers, stating that “[w]e are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”
Today, many organizations still rely on the standard contractual clauses introduced under the previous privacy regime, the Directive 95/46/EC. While these clauses are formally still accepted, they have not yet been updated and adopted to GDPR. Additionally, clauses specifically addressing the needs of processor to processor relationships are missing. Processor to processor relationships, therefor, still require complex adjustments of existing standard contractual clauses, which is not only cumbersome but also challenging to safely and appropriately meet legal requirements. At the same time, current clauses are under investigation by the European Court of Justice (ECJ) in the so-called “Schrems II” case and thereby increase legal uncertainty for organizations relying on the clauses.
Due to the current lack of standard data protection clauses – which are introduced in Article 46 of GDPR as one mechanism to transfer personal data to third countries – a consortium of different European and international companies from different sectors joined forces and developed a first draft of such clauses. In particular, this set of clauses introduces key principles and safeguards for the processor to processor environment. The development of these clauses was driven by the need for an as comprehensive and accurate regime as possible, while safeguarding a high level of data protection for third country transfers. At the same time, it was ensured that in particular small and medium-sized companies could rely on such clauses.
“Standard contractual clauses as appropriate safeguard for third country transfers are of utmost importance for the data economy”, said Mathias Cellarius, Group Data Protection Officer and Head of Data Protection & Privacy at SAP. “Especially in the processor to processor environment, adopted clauses are missing in the toolbox and would be enormously helpful for companies as well as for individuals whose data is protected under these clauses.”
Taking the Schrems II case into consideration, European industry might face a significant halt if the ECJ will decide to declare void both the privacy shield and the standard contractual clauses as under the Directive. The associated companies of this initiative welcome the European Commission’s recent emphasis on modernising the standard data protection clauses, which is strongly needed. The associated companies therefore look forward to deepening the constructive dialogue with relevant stakeholders, i.e. above all the European Commission, supervisory authorities, the European Data Protection Board, and industry representatives, to ensure that an effective, undisputed and efficiently operable safeguard to process personal data in third countries will be established soon.
This project is coordinated by SCOPE Europe and has been supported by Alibaba Cloud (Singapore) Private Limited, DATEV eG, eyeo GmbH, Fabasoft AG and SAP Belgium NV/SA.
An extensive review of existing literature and academic work on the subject matter was conducted before the actual drafting of the clauses. Among other sources, the benefits and disadvantages of the Working Party 29 draft on ad hoc contractual clauses1 was examined. During the development of the clauses, different stakeholders and partners from industry (including associations representing diverse memberships with different processing activities, business models and company structures, including many small and medium-sized enterprises) and from the legal sphere (such as law firms specialized on data protection and IT-law and academia) were continuingly consulted and involved to ensure meeting existing market needs