Transfers of personal data from the EU to the United States intended to comply with EU data protection requirements had previously been made pursuant to both the Privacy Shield framework as well as the use of standard contractual clauses promulgated by the European Commission, and/or Binding Corporate Rules. However, as we previously updated, companies in the United States can no longer rely on the Privacy Shield following the decision of the Court of Justice of the European Union (EU) in case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (known as “Schrems II”).
Schrems II also questioned whether the use of standard contractual clauses alone was sufficient to ensure adequate protection of personal information as afforded in EU law or whether additional safeguards may be necessary for data transfers to the US.1 Schrems II provided that the data exporter and data importer should complete an assessment of the data at issue to ensure an essentially equivalent level of protection as provided by EU law.
In response, the European Commission has formally adopted updated standard contractual clauses (“SCCs”) for transfers of personal data to non-EU countries.2 These SCCs went into effect on June 27, 2021 and are intended to address comments to the prior SCCs as well as Schrems II.
Data Transfers Covered by the SCCs
- MODULE ONE: Transfer controller to controller
- MODULE FOUR: Transfer processor to controller
- MODULE THREE: Transfer processor to processor
- MODULE TWO: Transfer controller to processor
Organizations are to select the module as appropriate to the data transfer. Only one module is to be used based on the party transferring the data (Controller or processor) and the party receiving the data (Controller or processor).
Timeframe for Compliance with the SCCs
For new data transfers over the next three months, the prior version of the standard contractual clauses may continue to be used as organizations transfer to the revised SCCs. In addition, data transfers already subject to existing standard contractual clauses will have an additional 15 months, or 18 months total, to implement the new SCCs with full compliance required by December 27, 2022.
Highlights of the new SCCs
The revised SCCs include an optional clause, Clause 7 – the Docking clause. Previously, the prior SCCs would apply to just the initial two parties to the agreement. This Docking clause can be used for contracts with multiple parties as well as to add additional parties after an agreement is already entered into.
Clause 8 - Data protection safeguards is a general requirement of the SCCs that is applicable to all modules. It requires an express warranty by the data exporter with respect to the measures implemented by the data importer to protect personal information, providing as follows:
“The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.”
Each of the modules further include more detailed and specific requirements as to the protection of data, including avoiding any breach of personal data.
A new section was added to specifically address Schrems II. Specifically, Section III entitled “LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES” and includes Clause 14(a) which specifically requires compliance with GDPR requirements3 – and states:
“The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.” (Emphasis added).
What Do Businesses Need to Do Now?
Businesses that process personal data or rely on data processors for data transfers from the EU to the United States should complete a detailed review of the standard contractual clauses that may be included in your current contract documents to determine what action is needed to transition to the new SCCs.
Why Does This Matter For Businesses?
- The revised SCCs provide a level of certainty for organizations that they may now rely on these SCCs, as opposed to the use of supplementary procedures – which will no longer be necessary for compliance with current EU requirements.
- However, based on the SCCs, due diligence is necessary to ensure that both technical and organizational measures are in place to protect information being transferred.
- Similarly, data mapping will become critical to confirm these safeguards and the flow of data. Should multiple parties be involved, contracts can incorporate the SCCs as needed for all parties involved with the data transfer.
- Data privacy attorneys can consult on GDPR requirements following the completion of any mapping exercise.
1 See Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II, White Paper, September 2020.
2 See https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
3 Regulation (EU) 2016/679.