Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Mondial | Publication | juin 2021
The purpose of the New SCCs is to help companies legitimise the transfer of personal data originating in the EEA to countries outside the EEA whose data protection laws have not been found by the European Commission to offer adequate protection (Third Countries). They will also be a lawful mechanism for UK companies to use too.
The documentation published comprises both an Implementing Decision and an Annex setting out the New SCCs themselves. At the same time, the Commission also published a set of clauses for use between controllers and processors, although these are not the focus on this briefing. The new SCCs were updated to:
(a) allow for various types of transfers using a modular approach. In particular, the New SCCs now helpfully provide for processor-to-processor transfers;
(b) give the clauses a GDPR ‘face lift’, including to update cross references to legislation and to ensure alignment with the requirements of the GDPR; and
(c) address the requirements of the Schrems II judgement, noting however that use of the New SCCs do not remove the need to assess the laws of the relevant Third Countries and ensure any necessary supplemental safeguards are implemented. This is a point made clear in both the Implementing Decision and the New SCCs themselves.
The most controversial issue surrounding the new SCCs was how they would deal with the requirements of the Schrems II case. In particular, whether, as in the draft SCCs, the New SCCs would allow organisations to take a risk-based approach when making the local law assessment of a Third Country and therefore consider the “likelihood” that public authorities would in fact access the exported personal data. Fortunately, this provision remains in the New SCCs. However, there is a greater emphasis on ensuring that any practical experience that is considered as part of the assessment is “corroborated and not contradicted by publicly available… information on the absence of requests in the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies”. This emphasis on being able to provide supporting evidence when relying on practical experience seems to be a nod to the stricter position put forward in the Joint Opinion. It will be interesting to see where the EDPB and EDPS lands on this point in their final guidance on the Schrems II judgment, which is expected in a few weeks. (Clause 14).
The provisions on challenging public authority access requests are also largely unchanged since the previous draft, although clause 15.2 expands what the importer must take into account when considering the legality of the request and whether to challenge it. (Clause 15)
(a) the obligations on data processors now include all elements required under Art 28 GDPR;
(b) the obligation on importer controllers to notify data protection authorities now applies if a personal data breach is likely to result in a risk to the rights and freedoms of natural persons and the obligation to notify data subjects of personal data breaches is also now aligned to Art 34 GDPR. (Module 1, clause 8.5(e) and (f));
(c) the obligation to implement appropriate technical and organisational safeguards is now more closely aligned to Art 32 GDPR. (Module 1, clauses 8.5; Modules 2 and 3, clause 8.6; Module 4, clause 8.2);
(d) the timeframe within which importer controllers mist deal with data subject rights. (Module 1, clause 10); and
(e) the liability regime (Clause 12).
The majority of changes in the New SCCs (when compared to the earlier draft) provide useful clarification. It will also be helpful for companies to see that the Commission broadly retains its original position on companies being able to take into account the “likelihood of access” argument when assessing Third Country laws.
However, companies should not lose sight of the fact that these New SCCs impose some onerous obligations and the parties relying on them will need to quickly consider how they will comply with the non-negotiable obligations in practice, especially as they will replace the current SCCs for all new transfers in just 3 months.
Companies must also remember that the New SCCs are just part of the export picture following Schrems II. Their use sits alongside the requirement for companies to clearly understand where personal data is being sent and accessed from, the roles of the receiving parties (e.g. controllers or processors), the requirement to assess the laws of the relevant Third Countries and to understand whether any additional technical safeguards are required alongside the New SCCs. The picture remains complex.
Click here to watch an on-demand webinar where we discussed the new SCCs and their impact in more detail.
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Publication
Artificial intelligence (AI) raises many intellectual property (IP) issues.
Publication
We are delighted to announce that Al Hounsell, Director of Strategic Innovation & Legal Design based in our Toronto office, has been named 'Innovative Leader of the Year' at the International Legal Technology Association (ILTA) Awards.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023