On June 4, 2021, the European Commission took final action to adopt two new sets of standard contractual clauses (SCCs). One of these provides a mechanism for transferring personal data to countries, including the U.S., that are not certified by the European Commission as having adequate data protection laws. The new form of SCCs for cross-border transfers replaces and updates the current forms (from 2004 and 2010) by:
- Aligning the SCCs with the General Data Protection Regulation (GDPR).
- Taking into account, to some extent, the practical complications of the Schrems II opinion issued by the EU Court of Justice in July of 2020.
- Using a “modular” format that can be adapted to the range of different types of transfers that take place in a supply chain.
The new SCCs go into effect on June 27, 2021, allowing some time for important transition periods. Companies may continue to use the “old” forms of SCCs prior to September 27, 2021. But companies must start using the new forms of SCCs by September 27, 2021 for all new contracts and any pre-existing contracts that are modified after September 27, 2021. Companies must have implemented the new SCCs for all existing contracts by December 27, 2022.
Some highlights of the new SCCs from the perspective of a U.S. data importer (whether controller or processor) are summarized below.
Data exporters and importers must each conduct, and document, two different assessments before undertaking (or continuing) a proposed data transfer:
- Security assessment: Whether the importer has in place the technical and organizational measures to safeguard appropriately the data in question.
- Schrems II assessment: Whether the laws and practices of the importing country will prevent the importer from fulfilling its obligations under the SCCs even if supplementary protective measures are in place.
Controller/Processor Role Modules
The new SCCs have provisions (or modules) to cover the four different scenarios of data transfers in a supply chain:
- Controller to Controller
- Controller to Processor
- Processor to Processor (new)
- Processor to Controller (new)
How these apply to existing contracts will need to be worked through during the transition period.
There is now a mechanism for adding new parties to the SCCs when new parties are introduced into an existing supply chain.
Affirmative Obligations of Data Importers
Data importers must sign on to significant affirmative obligations designed to address the perceived privacy shortcomings of U.S. national security legislation and practices. Data importers must:
- Document the importer’s assessment that the laws and practices of the importing country will not prevent the importer from fulfilling its obligations under the SCCs, taking into account the specific circumstances of each specific data transfer.
- Notify the data exporter and data subject if it receives a request for personal data from a government authority or becomes aware that a government authority has accessed personal data (and maintain records of those requests).
- Challenge any government request for personal data, which includes pursuing all appeals, if the data importer concludes, after review, that there are reasonable grounds to believe the request is unlawful.
- Maintain records about the processing of the imported data that are not identical to Article 28 of the GDPR, but appear to be more extensive than anything in current U.S. law (except possibly HIPAA).
Legal Assessment and Practical Experience
The final version of the new SCCs allows for some degree of reliance on “practical experience” in making the legal assessment that the data importer will not be prevented by local laws and practices from complying with the SCCs, which is a condition precedent to a data transfer to the U.S. or other countries not deemed to have adequate legal data protection. With respect to the U.S., the concern expressed by the EU Court of Justice in the Schrems II case involved the ability of the government to obtain personal data for national security purposes and thereby undermine the protections of the SCCs.
In an attention-grabbing footnote to Clause 14, the European Commission stated that the overall legal assessment may take into account “relevant and documented practical experience with prior instances of requests for disclosure from public authorities.” This practical experience must be documented in internal records, based on due diligence, and certified by senior management. In addition, the historical experience of the data importer “needs to supported by other relevant, objective elements,” including corroboration about similar requests in the same sector and how the importing country’s laws have been applied in actual practice.
Security Measures Assessment
Annex II to the new SCCs contains a list of eight so-called “examples of possible measures” that the data exporter needs to consider when assessing whether the proposed importer can provide the appropriate level of security. Some of the listed measures are ones we are just beginning to see in U.S. laws and enforcement actions by the Federal Trade Commission or state regulators. Examples of these include measures for data protection during transmission and in storage, and measures ensuring events logging, system configuration, data minimization, and limited data retention.
Where Do We Go From Here?
For U.S.-based companies, the impact of Schrems II has ranged from a persistent anxiety to a major nightmare. The new SCCs adopted by the European Commission offer the reassurance of a least a defined framework for cross-border transfers. But that framework is complicated and demands quite a lot of objective and subjective evaluation. It does not provide a formula for how to fit a company’s specific data transfer needs into a neat compliance scheme. For many, the transition is likely to require considerable planning and budgeting.
To learn more about how your company can use the new SCCs, please contact our Cybersecurity and Data Privacy Team.
A special thanks to Kyle Black and Molly Webber for their editorial contributions to this advisory.