In Perspective: European Commission publishes Q&A on SCCs for data transfers

What happened

• The European Commission published a Q&A on the two sets of standard contractual clauses (one set for controllers and processors and another for the transfers outside of the EEA) for data transfers under the EU GDPR.
• According to the Commission, the Q&A provides practical assistance on the use of SCCs and aids stakeholders in compliance efforts. It will be updated as new questions emerge.

• The Q&A consists of 44 questions and the key takeaways are:
  • The obligations of Article 28 of the GDPR have been included into the SCCs for data transfers from controllers to processors or processors to sub-processors. As a result, companies are not required to sign a separate data processing agreement in order to comply.
  • When transferring personal data to controllers or processors in non-EEA countries that are directly subject to the GDPR, organisations cannot rely on the 2021 set of SCCs to comply with the GDPR, as the Commission states that this would “duplicate and, in part, deviate from the obligations that already follow directly from the GDPR.” The European Commission intends to issue a new set of SCCs for use by organisations in this scenario.
  • Whilst SCCs can be supplemented with additional clauses or incorporated into a broader commercial contract, the other contractual provisions must not contradict the SCCs. In particular, SCCs “may not include a general exculpation from liability”, suggesting that liability caps are prohibited.

Why it matters

• Organisations intending to implement the new EU SCCs for EU transfers must keep in mind that the deadline for replacement of the “old” EU SCCs with the new SCCs is 27 December 2022.
• The Commission expects data exporters to inform data subjects where SCCs are used to transfer data and provide a copy of the signed clauses on request, including the completed and signed annexes. A general reference to the SCCs (e.g. by providing a link to the Commission’s website) is not sufficient.  
• Organisations should assess whether it is necessary to update their privacy policies and data subject rights handling processes to provide the required information.
• The Commission’s confirmation that the new SCCs cannot be used for transfers to controllers or processors in third countries that are directly subject to the GDPR leaves a compliance gap pending a new set of SCCs for use in this scenario.

What happened

• The ICO has called on the criminal justice sector to immediately stop collecting excessive amounts of personal information from victims of rape and serious sexual assault cases.
• According to the ICO, police in the UK require victims to provide ‘blanket’ consent to them accessing large amounts of personal data before accessing justice. In England and Wales, this is known as a ‘Stafford statement,’ and it allows police access to the victim’s information, including school records, medical histories, social service data and mobile phone content.
• The requests fall short of the requirements of the DPA 2018 and UK GDPR, and were therefore unlawful.

Why it matters

• Recital 43 of the GDPR specifies that valid consent must be freely given and does not provide a valid legal ground for the processing in a case where there is a clear imbalance of power between the data subject and the controller, particularly where the controller is a public authority.
• Consent is just one lawful basis for processing personal data, which is appropriate if you can offer individuals genuine choice and control over the use of their data. Organisations unable to offer a genuine choice by making consent a precondition of a service, should consider relying on an alternative, more appropriate lawful basis.
• Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
• This serves as an important reminder that data minimisation is key. Any personal data obtained or otherwise processed in relation to an individual must be adequate, relevant, not excessive and pertinent to the purpose specified.

What happened

• The EU Data Governance Act (DGA) was published in the European Union’s Official Journal this month. It will take effect on 23^rd June and will apply to companies 15 months thereafter.
• The DGA establishes new guidelines for data marketplace neutrality and allows the wider reuse of public sector data, including personal data, with the goal of increasing trust in data sharing for research and other public-interest activities.
• The DGA creates a framework to adopt a new business model that will provide a secure environment in which companies or individuals can share data.
• For personal data, it is intended that the model will help individuals exercise their rights under the GDPR, in having full control over their data and allowing them to share their data securely with an organisation they trust.

Why it matters

• The DGA provisions will expand prospects for EU organisations that make use of public sector data including personal data, as well as facilitating new data sources. Ensuring your organisation has a robust data governance framework in place will be particularly important in manging increased volumes of data.
• The DGA sets out the requirement to ensure the protection of data is preserved and sets out various methods by can be achieved, including techniques for anonymisation and pseudonymisation in the re-use of personal data.
• The DGA will be followed by a second legislative proposal focussed on greater data sharing: the Data Act, a draft of which was published by the European Commission earlier this year.
• Both pieces of legislation are the result of the European Data Strategy, which aims to create shared European data spaces in order to promote data availability across society.