Revised Standard Contractual Clauses and additional safeguards

On November 10, 2020, in light of the Schrems II decision, the European Data Protection Board (EDPB) adopted Recommendations concerning potential additional safeguards to ensure that the level of protection afforded to personal data transferred remains "essentially equivalent" to that of the EU (Recommendations, at Annex 2). The primary safeguards discussed were the encryption of personal data, and transfer of pseudonymised data.

Also on November 10, 2020, the EDPB adopted Recommendations on what it means for personal data to have "essential equivalent" protection.

Then, on November 12, 2020, the European Commission (EC) published draft revised Standard Contractual Clauses (SCC) for the transfer of personal data to third countries under the EU General Data Protection Regulation (GDPR).

Notable changes:

1. The revised SCCs apply a "modular" approach to cover four (4) potential transfer scenarios for personal data leaving the EEA: (1) controller to controller, (2) controller to processor, (3) processor to processor, and (4) processor to controller. The current SCCs only cover controller to controller or controller to processor scenarios.

2. The revised SCCs now satisfy the requirements of GDPR Art 28(3) for transfers between a controller and a processor.

3. The revised SCCs are intended for use between multiple parties.

The EC draft also repeals the current SCCs and provides a one (1) year grace period to execute the revised SCCs once they are approved (Draft Implementing Decision, at Art 6(3)).