EU Seeking Comment on Revisions to Standard Contractual Clauses

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)

Given these concerns, it has long been anticipated that the EU Commission would revisit and revise the clauses. It has done so, and is seeking comment on modifications to the clauses. Unlike the current SCCs, of which there are a few (including for transfers between two controllers, and transfers from controllers to processors), the new version has a variety of different provisions that the parties can select based on their respective roles (controller, processor). The updated clauses also take into account GDPR-required content, like data minimization and security. They also contemplate more thoroughly “onward transfers” of information, and allow for more parties to be signatories than under the current scheme.

Interested parties have until 10 December 2020 to comment on the draft. It is anticipated that a vote will be made on the clauses by the EU early next year, and they will be adopted shortly thereafter. There would then be a one-year grace period to allow companies to switch over from the current set of clauses to the new ones. The caveat, though, is that companies must use “necessary supplemental measures” to ensure that data is adequately protected. The EU is also seeking comment on controller-processor standard clauses to address general GDPR requirements (in Data Protection Agreements) when data is not being transferred out of the EU.

Putting it Into Practice: Until the new clauses are implemented, companies transferring data between the EU and the US will need to rely on current measures, which include the current set of SCCs, and keep in mind the EDPB’s cautions around “supplementary measures” needed for protecting outbound data. While there is time before any new clauses come into effect, in anticipation of the new clauses, we expect EU companies transferring data will likely be auditing and mapping the data they transfer.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.