International personal data transfers: EDPB guidance and new Standard Contractual Clauses

With many businesses still reeling from the Schrems II judgment earlier this year, November brought two key developments.

The first is the new draft Standard Contractual Clauses (SCCs) from the European Commission, which are one of the key transfer tools for exporting personal data to outside of the EEA. The SCCs have been updated to align with the GDPR and to add welcome flexibility (for example, by safeguarding processor to sub-processor and processor to controller transfers). The SCCs also address some of the issues arising from Schrems II by allocating responsibilities in relation to potential disproportionate access by public authorities to exported data.

The second is the European Data Protection Board’s recommendations on European essential guarantee for exported data and on supplementary measures when transferring data outside of the EEA. These cover the requirement to assess whether exported data will be protected to European standards when using the SCCs and other Article 46 transfer tools and, if not, some potential additional safeguards that may assist.

Both the new SCCs and the EDPB recommendations are under consultation and so are subject to change. The new SCCs are expected to be effective from Q1 2021 and should be used from then on, with a one-year grace period to update existing contracts that rely on SCCs.

Stephenson Harwood has developed go-to-guides to help you navigate this new information and help prepare your business for post-Brexit and post-Schrems II data transfers:

• For our summary of the new draft Standard Contractual Clauses see our guide Updating transfer mechanisms in a post-Schrems II world.
• For a breakdown of the EDPB’s new guidance look at our article Is it really as simple as six steps to success?