On June 4, 2021, the European Commission announced the definitive adoption and publication of revamped Standard Contractual Clauses (“SCCs”) for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”).
The revised SCCs include two sets: one for use between controllers and processors and one for the transfer of personal data to third countries. According to the Commission’s press release, the revised SCCs “offer more legal predictability” and provide “[m]ore flexibility for complex processing chains” by using a modular approach and offering the possibility for more than two parties to join and use the clauses. The revised SCCs seek to provide a balance between emphasizing the legal framework of the GDPR while addressing lingering uncertainty after Schrems II.
Companies have fifteen months to transition from use of the previous SCC and put in place the revised SCCs, subject to certain exceptions.
Background: Post-Schrems II, SCCs Plagued by Uncertainty
In July 2020, the Court of Justice of the European Union (the “CJEU”), in a decision known as Schrems II, invalidated the EU-U.S. Privacy Shield (the “Privacy Shield”). Although the CJEU did not foreclose companies’ reliance on SCCs, the CJEU cautioned that the continued validity of SCCs turned on whether transferred data can be afforded a level of protection “essentially equivalent” to that guaranteed within the EU.
After the invalidation of the Privacy Shield, SCCs largely became the default means to facilitate EU-U.S. data transfers. However, in August 2020, the Irish Data Protection Commission (“DPC”) issued another blow in its provisional ruling to Facebook questioning whether the U.S. can meet the “essentially equivalent” protection standard, citing the U.S. government’s mass surveillance as being at odds with the privacy rights of EU citizens. Additionally, the Irish DPC’s detailed inquiry into Facebook’s data protection measures questioned the legitimacy of SCCs as a safeguard in light of the significant cost and expense of being forced to prepare for EU regulators to question each aspect of a company’s data protection program. In May 2021, the Irish High Court dismissed Facebook’s appeal of this decision, reinforcing the tenuous nature of the validity of the then-current SCCs.
A Few Key Features of the Revised SCCs
- Docking Clause: (Clause 7) Parties may use an optional docking clause whereby new parties can agree to the revised SCCs, either as a data exporter or a data importer, at any time by executing a specific annex.
- Schrems II Legacy: (Clause 14) Parties are required to warrant they have “no reason to believe that the laws and practices in the third country . . . applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations” under the revised SCCs. In making such a warranty, the data exporter is required to make a comprehensive risk assessment available to regulators on request. Additionally, Clause 15 of the SCCs includes detailed obligations applicable to data importers in third countries upon receipt of government requests for access to transferred personal data, including objecting to such request and providing the minimum amount of information possible.
- Security: (Clause 8) The SCCs provide more detailed guidance on the types of required supplementary security controls by specifically referencing encryption and providing a reference list of potential organizational and technical safeguards to ensure the security of processing as necessary.
What This Means For You
Without many viable alternatives for international data transfers post-Schrems II, the Commission’s statement regarding the use of the revised SCCs as an adequate safeguard is a welcome development. However, before diving straight into repapering legacy SCCs, organizations should focus on a wholistic evaluation of existing relationships, data flows, and the roles of the parties involved in personal data transfers subject to the GDPR, especially in light of the new SCCs governing processor to subprocessor transfers. Businesses should also evaluate the implementation of any new technical and organizational security requirements for itself and its subprocessors. In addition, the 15-month transition period is only for previously executed agreements that have not been amended further. In other words, if a company is using legacy SCCs but amends other processing operations of the associated agreement, the SCCs should be updated as well.