On June 4, the European Commission (EC) adopted two new sets of Standard Contractual Clauses (new SCCs, SCCs, or model clauses) that align more closely with the EU’s General Data Protection Regulation (GDPR) and bridge the gap left by the July 2020 invalidation of the EU—US Privacy Shield in Schrems II.
The Schrems II decision by the European Union Court of Justice greatly disrupted the world of international data transfers, particularly because the decision invalidated the Privacy Shield.
Pre-Schrems II
Prior to Schrems II, U.S. companies relied on the Privacy Shield to transfer and store EU personal data in the United States, as we discussed at the time of that landmark ruling. The Schrems II decision asserted that the Privacy Shield offered inadequate protection of EU citizens’ data and could no longer be relied on by U.S. companies to transfer EU data to the United States. Transfers to the United States, or any destination country, could only occur if the then-existing SCCs (prior SCCs) combined with supplementary measures met an “essentially equivalent” standard of data protection as that provided by the GDPR.
However, the prior SCCs first appeared in 2001 and were revised in 2002, 2004, and 2010. At that time, the EU was still governed by the Data Protection Directive, adopted in 1995. The GDPR became fully effective in the EU in 2018. With Schrems II, the court held that the prior SCCs could be used to transfer data to the United States as long as they afforded equal data protection as the GDPR.
After 11 months of trying to discern how to obtain equal protection with the GDPR through the prior SCCs, which outdated the GDPR, the EC has announced revised SCCs that not only comport with the GDPR but also attempt to provide a suitable method for data transfers to countries without adequacy decisions in place.
Modular Compliance
The role of the SCCs is to ensure appropriate data protection safeguards for international data transfers. The SCCs are designed in a modular format, allowing data exporters to select which module relates to their export and then follow the clauses that pertain to the chosen module.
Controller-to-controller transfers | C2C | Module 1 |
Controller-to-processor transfers | C2P | Module 2 |
Processor-to-controller transfers | P2C | Module 3 |
Processor-to-processor transfers | P2P | Module 4 |
Two of the most significant updates to the new SCCs are the inclusion of processor-to-controller transfers and processor-to-processor transfers. Another important update is the inclusion of transfers where the data exporter is not based in the EU, something the prior SCCs also lacked.
The Appendix requires that each transfer provide clarity by distinguishing the roles of data exporter(s) and/or data importer(s) and processors. It offers a template with multiple appendices that can be used to manage transparency, although one appendix can suffice for some contractual relationships and transfers.
Why This Matters
The EC adopted a risk-based model requiring the parties to assess and warrant that under the destination country’s laws, there is no reason to believe the data importer cannot provide an adequate level of protection for EU citizens’ data. This assessment is noteworthy because it permits parties to include prior experience with disclosure requests from public authorities as relevant documentation. In fact, parties are encouraged to assess the specific circumstances of the transfer, the laws and practices of the destination country, and any supplemental measures needed prior to warranting that adequate protection is possible.
Warranting adequate protection is an ongoing obligation. If the data importer discovers that adequate protection will not be possible after warranting that it is, the importer must notify the exporter, and the exporter must adopt additional supplementary measures or suspend the transfer if no safeguards can ensure adequate protection.
The new model clauses include an overview of supplementary measures companies can enact to comply with Schrems II, including technical or organizational measures that enhance security and confidentiality, like encryption, pseudonymization, and data minimization.
Time to Process
The SCCs go into effect on June 27, 2021. Three months later, the prior SCCs are technically repealed, although the EC has provided for an additional 15-month transition phase (18 months total when added to the three-month grace period following the date the new SCCs go into effect). Existing contracts can continue to rely on the prior SCCs for up to 18 months from the date the new SCCs go into effect in June 2021. New transfers and contracts must use the new SCCs beginning September 27, 2021, three months after the June effective date.
For transfers that will remain ongoing beyond December 2022, the end of the 18-month grace period, it may be wise to negotiate such contracts under the new SCCs rather than re-negotiate them 18 months later, as will be required.
Take Action
In the meantime, taking a few proactive steps now can help your company save time later:
1. Ease corporate leaders into familiarity with the new terms of the revised SCCs before any deadlines approach
2. Review new SCCs with counsel, in particular Modules 3 and 4 if applicable
3. Identify which transfers will be continuing at the end of the 18-month period and begin a plan on how to amend such contracts
4. Note any new contracts to be entered before the end of the three-month period and the 18-month period and assess how to negotiate such contracts around the new SCCs
Our Privacy, Cybersecurity, and Data Management team will continue to monitor developments in this arena.