In June, the European Commission published the final version of a new set of standard contractual clauses (SCCs) that can be used to comply with the EU’s General Data Protection Regulation (the “GDPR”). These clauses are of particular importance to US companies dealing with companies in the European Economic Area (EEA) because the most commonly used alternative to the SCCs had been the EU-US Privacy Shield, which the European Court of Justice invalidated last year.
The new regulations have a phase-in period, when all existing contracts that rely upon the old versions of the SCCs will likely have to be revised. The key dates are 27 September 2021, before which time companies may continue to use the old SCCs; and 27 December 2022, when use of the old SCCs will not be sufficient to comply with the GDPR.
The new SCCs are both more flexible and more demanding than the old ones. For flexibility, they are drafted in a modular form that allows companies to choose only those provisions that apply to the relationships that they have with each other and with respect to the data. They also apply to relationships that had not been covered at all by the old SCCs, such as transfers from one data controller to another. And they permit the addition of new parties to SCCs previously agreed upon by two or more initial signatories.
The new burdens are significant. In particular:
- The new SCCs require the parties to assess – via a “transfer impact assessment” – whether the laws of the country into which the data is being transferred is consistent with the SCCs and the GDPR, and whether further measures (such as encryption) are needed to assure adequate protection of personal information. This assessment must be in writing and preserved for later examination by EU data protection authorities.
- If a governmental authority requests personal information, the data importer may be required to notify the exporter and/or the data subject of the request and resist it if that is practicable.
- The data importer must inform the data subjects, either directly or through the data exporter, of its identity and contact details, of the categories of data being processed, of the subject’s right to obtain a copy of the SCCs, and details regarding any planned onward transfers. This requirement will not apply if the exporter has already provided the information or if compliance would be impossible or involve disproportionate effort for the data importer.
- While this is not a new requirement, it is worth mentioning that the parties must specify the technical and organizational measures used to protect the data.
These and other details vary from module to module. Thus, the obligations of a US company receiving personal information about EU residents may vary depending upon which party (if any) is a “controller” of that data, and which party (if any) is a “processor” of that data.
In short, if your business involves the receipt of information about EU residents from another company, you can expect to have to overhaul existing SCCs that you have in place and to use the new SCCs in any new contracts signed after September 27, 2021.