On January 19, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the draft standard contractual clauses for international data transfers (“draft SCCs”) published by the European Commission (“EC”) on November 12, 2020, including a marked-up version of the clauses.
The EDPB/EDPS joint opinion proposes several revisions and amendments to the EC’s draft SCCs, including some suggested changes which aim to clarify their scope. For example, the joint opinion recommends that the EC clarify: (1) that the draft SCCs cannot be used for transfers to non-EU controllers that are directly subject to the GDPR (even though this may still constitute an international transfer of personal data according to the joint opinion); (2) whether and how the draft SCCs apply to joint controllership relationships; and (3) that the clauses on government access requests in the draft SCCs also apply to access requests from courts and other public authorities of a third country.
Many of the proposed revisions and amendments aim to bring the draft SCCs closer to the GDPR and the EDPB’s guidelines on the concepts of controller and processor, guidelines on the territorial scope of the GDPR, and recommendations on international data transfers. Other proposed changes seek to reinforce the safeguards provided to data subjects. For example, the joint opinion recommends extending the third-party beneficiary rights to provisions that were excluded by the draft SCCs. The opinion also calls for imposing joint and several liability for data exporters and data importers under the draft SCCs.
It remains to be seen whether and to what extent the EC will implement any changes to the draft SCCs on the basis of this joint opinion, before finalizing and publishing the new SCCs, expected in spring 2021.