GDPR and the updated Standard Contract Clauses (SCC)

In 2018 the General Data Protection Regulation (GDPR) was passed in the European Union so establishing one of the strict data privacy compliance and security laws in the world. Since the GDPR came into force over 600 enforcement actions have been conducted and fines have been levied of over Euros 200 million.

For those Australian companies that collate, control or process the personal data of EU data subjects (being data of someone who resides in the EU) the GDPR is a regulation which should be adhered to or large sanctions and fines may possibly be imposed.

The GDPR originally set out seven protection and accountability principles which are to be adhered to by those entities that collect and process personal data.

Article 5.1-2

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation — You can only process data for the legitimate purposes expressly specified to the data subject when you collected it.
3. Data minimization — The Controller and Processor can collect and process only as much data as is necessary for the purposes specified.
4. Accuracy — Personal data must be accurate and up to date.
5. Storage limitation — The obligation is to store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (encryption).
7. Accountability — The Controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

These principles were manifested in earlier legislation that published the original Standard Contractual Clauses (SCC). These SCC are mandatory conditions to be included in every data processing contracts between data controllers and data processors, who collate and process the personal data of EU based data subjects.

It was intended that the SCC would be subject to periodic review while the European Union assessed ongoing practical compliance by those entities subject to these SCC conditions and the 2018 GDPR. The GDPR also mandated that those data controllers who did not maintain operational presence in the EU, but collected and controlled data of EU data subjects, had to appoint a resident EU office agent to process complaints and enquiries from EU customers / data subjects.

Recent Developments

In November 2020 it was announced that a review of the current SCC was being undertaken and  revised draft SCCs were published for comment. One criticism of the earlier SCC and the GDPR regulations themselves was that it was not clear whether the existing regulation had extra territorial application to offshore data controllers and/or processors.

The new SCC have removed this ambiguity and the new SCC will have extra territorial effect. For those Australian companies undertaking these types of data collection, compliance with the GDPR is a practical necessity.

The replacement SCC will also cover obligations as between processor and sub-processor (P2P) and from processor to controller(P2C) which was deficient in the original Standard Contract Clauses.

Take Away

The consultation period for the new draft SCC has now ended and the timetable for the new SCC clauses to come into force will be around late June 2021 and companies will have approximately 6 months to ensure contract compliance and adoption of the revised SCC (by January 2022).

Australian companies operating in this space will need to get ahead of this curve by reviewing their existing model contracts (data processing agreements) and update them to ensure the new SCC are incorporated into their agreements.

It will also be a requirement for companies engaged in importing data into Australia to conduct a local privacy law risk assessment to ensure Australian local privacy laws do not impede compliance with the new SCCs and this written assessment must be provided, if requested, to the EU regulators.