The European Commission (“EC”) has long sought to improve data privacy for Europeans, even when they interact with global or non-European companies. Laws like the General Data Protection Regulation (or “GDPR”) seek to control how even U.S. companies, for example, use data from European citizens. To comply with the GDPR, U.S. companies doing business in Europe are required to use standard contract clauses, or “SCCs” in their agreements governing use of EU citizens’ data.
In June, the EC published two sets of these SCCs for cross-border data transfers and exchanges between controllers and processors. These govern the handling of personal information for organizations that transfer or receive personal data originating in the European Economic Area (“EEA”) to countries identified as having “inadequate” data protections (such as the U.S.). The express language of SCCs are preapproved by the EC, and organizations subject to GDPR cannot transfer data from European subjects without SCCs or alternative approved data transfer procedures already in place. These SCCs replace old SCC templates drafted over a decade ago, and are responsive to developments like the Court of Justice of the European Union’s recent Shrems II decision regarding the EU-U.S. Privacy Shield.
The new SCCs require data exporters to provide data subjects with information and notice that personal data will be processed, and with contact information for complaints or requests. The new SCCs are written with modular language; depending on the nature of the data transfer (controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller), different language may apply and alter organization obligations. The new SCCs include provisions addressing when SCCs contradict data privacy request laws in other countries. Organizations are now obligated to notify the data exporter when it has received a data request from a non-European government and assess the validity and legality of complying with said request.
The new SCCs took effect on June 27, 2021, though old SCCs may still be drafted in pending contracts until September 27, 2021. All existing contracts that rely on old SCCs can continue use until December 27, 2022, by which time the new SCC language must be adopted. Organizations relying on SCC language should review the new SCCs and carefully consider what procedural changes the SCCs would require. Updating old contract forms, and reviewing current contracts using old SCC language before the deadlines would be prudent for companies wishing to export data out of the EU.