Today, in a major global development, the European Commission adopted newly revised Standard Contract Clauses (SCCs) to allow for international data transfers outside of the European Economic Area in compliance with the European Union’s (EU) General Data Protection Regulation (GDPR). The SCCs remain one of the most common transfer mechanisms for companies wishing to transfer personal data internationally.
The state of international data transfer between the EU and the United States has been in flux in the wake of the Schrems II decision last year. In July of 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield Framework through its Schrems II decision and called into question the reliability of the then-current SCCs. Schrems II declared that U.S. laws did not provide an adequate level of data protection, and thus eliminated the principal mechanism that allowed thousands of U.S. companies to conduct trans-Atlantic data transfers. Specific concerns with current U.S. laws were its: 1) failure to adequately limit government access to or surveillance of personal information; and 2) failure to provide adequate mechanisms for judicial redress for persons whose data had been collected under U.S. surveillance laws.
The European Commission released its highly anticipated update to the SCCs. This is the first update to the Standard Contract Clauses since 2010 and is expected to bring a more modular approach for various types of transfers (including those between processors and sub-processors). The updates will extend greater protections to companies transferring data outside the European Economic Area as the new clauses account for the Schrems II decision.
The Commission’s decision will enter into force on June 24, 2021. Companies will be able to continue to use the old SCCs for an additional three months after the 24th. Then, organizations will have 15 months to implement the new SCCs for all existing and new data transfers.
In addition, the United Kingdom’s Information Commissioner’s Office (ICO) recently announced that it is working on its own SCCs to facilitate transfers of data outside the United Kingdom post-Brexit. The ICO intends to release draft SCCs sometime this summer, with hopes of finalizing them by the end of the year.
The Biden Administration has made EU-U.S. Privacy Shield negotiations a central issue. This week, President Biden listed Privacy Shield negotiations as a top priority in his upcoming trip to Brussels on June 15. The president will have his first in-person meeting with European Commission President von der Leyen during his upcoming trip. Biden’s Administration is determined to negotiate a high-level political agreement which lays the groundwork for a new trans-Atlantic data transfer deal. Top European officials are pushing for a legally binding deal that safeguards EU rights. In the aftermath of Schrems II, U.S. and EU negotiators have been unable to make any headway in limiting bulk data collection from national security agencies. If this stalemate continues, the EU has hinted at a willingness to walk away from the negotiation table.
What does this mean for your business?
Businesses currently engaged in international data transfers should review their current data transfer agreements, data processing addenda, and vendor contracts to implement the newly-adopted SCCs as required for GDPR compliance. As this area is rapidly developing, U.S. businesses should endeavor to stay informed regarding any new EU-U.S. Privacy Shield developments. We will continue monitor any developments to this area.
If you have any questions regarding this memo, international data transfer, GDPR, or any other related matter, please contact Amber Lawyer, Shannon Knapp or any attorney in the Cybersecurity and Data Privacy practice.
*Special thanks to Ryan Marquette for assisting with researching and drafting this memorandum