The European Commission (EC) has published the long-awaited new Standard Contractual Clauses (SCCs). The new SCCs are the data transfer mechanism many US data exporters will need to rely on to transfer data from the EU to the US into the future. While US data importers will be breathing a sigh of relief with a more certain transfer mechanism in place, the new SCCs do include stricter obligations than their predecessor.
Background on Schrems II & The New SCCs
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the long-negotiated Privacy Shield transfer mechanism in a judgement known as Schrems II. Many US companies had relied on the Privacy Shield to transfer data from the EU to the US, so its invalidation caused significant uncertainty for US data importers. The CJEU confirmed the validity of a transfer mechanism known as the Standard Contractual Clauses in the same judgement, but with some caveats.
Some changes to the ‘old’ SCCs were already required to bring the SCCs in line with today’s commercial realities, as well as to bring the protections they offer in line with the General Data Protection Right (GDPR). The Schrems II decision added urgency and the need for enhanced provisions to address government access to data held by data importers in countries, like the US, not deemed by the EU to provide “adequate” data protections. As a result, the EC released draft SCCs in November 2020, which have now been finalized and released as the new SCCs.
Notable Provisions in the New SCCs
The modular design put forward in the draft SCCs has been retained in the new SCCs. The modules reflect the four different types of transfer permitted under the new SCCs, including:
- Controller to controller transfers.
- Controller to processor transfers.
- Processor to processor transfers.
- Processor to controller transfers.
Strict Criteria for Onwards Transfers
The new SCCs severely curtail data importers’ ability to forward the data once it leaves the EU. Any downstream sub-processors of the imported data need to accede to the terms of the new SCCs or enter into contracts offering identical protections. Data importers may also transfer the data onwards in certain circumstances if they have explicit, informed consent from the data subject.
A Risk-Based Approach & Transfer Impact Assessments
Data exporters will be permitted to rely on a risk-based approach when assessing the laws in the jurisdiction the data transfers will land in. The new SCCs prohibit data transfers where data importers wouldn’t be able to comply with the updated requirements due to the laws or practices in the data importer’s jurisdiction – particularly, laws and practices that would allow the government of the destination jurisdiction to access the data for law enforcement or intelligence purposes. Essentially, the new SCCs require exporters and importers to investigate and warrant that the protections promised by the SCCs can be delivered and maintained once the data leaves the EU.
Here’s what the provision specifically states:
The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses. In this context, laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 should not be considered as being in conflict with the standard contractual clauses. The parties should warrant that, at the time of agreeing to the standard contractual clauses, they have no reason to believe that the laws and practices applicable to the data importer are not in line with these requirements.
In practice, US data importers should conduct and document a transfer impact assessment that considers both the laws of the U.S. with respect to government access as well as the practices common to their industry and the types of data they collect. when undertaking due diligence in this regard.
Greater Security Requirements
Data importers are required to maintain security controls designed to protect data subjects from security breaches during and following transmission of the data. Encryption and pseudonymisation, including during transmission, are both highlighted as the minimum safeguards parties to a transfer should be considering.
Annex II in the SCCs requires parties to the data transfer to outline specifically which technical and operational processes are in place to protect the data being transferred. General statements about having security controls in place will no longer suffice. While there is significant mention of cybersecurity requirements, physical security is also referred to and should be considered before transferring the data.
Access control is also specifically outlined as a requirement in the SCCs.
Data Subject Rights as Third-Party Beneficiaries Under SCCs
Data subjects are given a right to enforce SCCs covering their data and to receive compensation for material and non-material damage as a result of a party’s non-compliance with the new SCCs.
Supervisory Authority Clarified
The new SCCs require the parties to indicate at the outset which entity will operate as the supervisory authority for the transfer.
Data subjects are also granted rights to lodge a complaint with the supervisory authority in their home state or the state in which they work. Alternatively, they may choose to lodge the complaint with the supervisory authority elected by the data exporter in Annex I.
Generally, the new SCCs offer protections to data subjects that more closely align with the GDPR. Data breach reporting requirements and technical safeguard requirements, for instance, now align with the level of protection offered by the GDPR. Further, without referring to specific clauses, you will note an uptick of language used in the GDPR regarding transparency, data minimization, the right to correct, and the right to erasure.
You can read the complete text of the new SCCs here.
Key Dates to Note in the New SCCs
June 27, 2021: The new SCCs come into effect. Data exporters can rely on the new SCCs from this date.
September 27, 2021: The old SCCs are repealed on September 27, 2021. This means that data exporters that are not in a position to comply with the new SCCs can enter into new contracts which rely on the old SCCs until this date.
Conversely, this essentially gives you 3 months to get into a position where you can enter new contracts that align with the new SCCs. So, this 3-month grace period is not an excuse to sit on your haunches. You will need to act immediately to comply with the new SCCs.
December 27, 2022: Data exporters have 18 months to move all of their existing contracts (which use the old SCCs) over to the new SCCs. However, if you make material changes to your contract with an existing customer after September 27, 2021, you must update the agreement to include the new SCCs at that time. This is an extension of the initial 12-month period suggested in the draft SCCs.
Practical Guidance for Businesses Relying on the New SCCs
Step 1: Inventory your data transfers.
We previously published our guidance for US businesses transferring data from the EU based on the EDBP’s recommendations. If you haven’t already undertaken the inventory of your transfers based on that guidance, you should make doing so a priority.
If you have previously inventoried your data transfers, ensure they are up to date. At this stage, you should also note the date each of your data transfer contracts conclude. You can prioritize renegotiation of data transfer contracts based on the contract conclusion dates.
Step 2: Assess your current transfer processes against the new SCCs.
From there, you should assess each data transfer you engage in against the criteria outlined in the new SCCs. You must determine whether your current data transfer processes and technical protections meet the criteria outlined in the new SCCs. Your assessment of the data transfer process should be a standardized and documented process, which includes the mandatory transfer impact assessment. Your decision-making process regarding the efficacy of the safeguards and protections for your data transfers should also be documented.
Step 3: Adapt your current processes and update your technical protections.
You are likely to find gaps when you assess your current transfer processes against the new requirements. This provides you with a starting point for developing compliant processes for any contracts entered which rely on the new SCCs.
Once you’ve worked out what you need to adapt and/or update to achieve compliance for your future data transfers, you should begin making those changes.
Step 4: Develop a timeline for updating your current contracts.
Negotiating compliance with the new SCCs with your current providers is going to take time. You should develop a timeline for updating your current contracts to ensure compliance in advance of the 18-month deadline provided by the EC.
If you need assistance complying with the obligations outlined in the new Standard Contractual Clauses, get in touch. We’re here to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.