At long last, the European Commission, on June 4, 2021, adopted new Standard Contractual Clauses (“new SCCs”) to permit lawful transfers of personal data from the European Union (EU) to third countries such as the United States.1 This development is critical for U.S. multinational employers that rely heavily on centralized, web-based platforms for key aspects of global human resources administration, such as recordkeeping, performance evaluation, expense reimbursement, and diversity and inclusion initiatives.
Every U.S. multinational employer that currently relies on the existing Standard Contractual Clauses (“existing SCCs”) will be required to update numerous agreements. These include the existing SCCs used to transfer HR data from EU subsidiaries to members of the corporate group located in the United States and other third countries, as well as the existing SCCs used to legitimize transfers of EU personal data to the many service providers located outside the EU on which U.S. multinational employers typically rely.
The update process potentially will be onerous. The new SCCs introduce new compliance and documentation requirements and increase risk by expressly subjecting the U.S. parent corporation and its non-EU affiliates that receive EU personal data to the jurisdiction of EU data protection regulators and EU courts. Fortunately, the European Commission’s decision provides a grace period until January 1, 2023, and potentially later, to complete the update process.2 Nonetheless, U.S. multinational employers should not push the update process to the back burner for too long as certain aspects of that process will be time consuming and challenging.
What Are The Standard Contractual Clauses And Why Are They Important?
For many multinational employers, Standard Contractual Clauses offer the only practical means of transferring human resources data to countries outside of the EU. The EU’s General Data Protection Regulation3 (“GDPR”) permits the transfer of data related to an identifiable natural person (“personal data”) to countries outside the EU only in limited circumstances. Companies may transfer personal data without restriction to a handful of countries that the European Commission has deemed to provide “adequate” data protection. These “adequate” countries do not include the United States. Otherwise, personal data can be transferred to a third country only in reliance on an approved data transfer mechanism, such as the SCCs, or on certain narrow exceptions (“derogations”) that typically are not a practical solution for U.S. multinational employers.
Standard Contractual Clauses offer multinational employers a relatively efficient means of ensuring adequate protection for data transfers. Approved by the European Commission in the early 2000s, the existing SCCs consist of standard contracts, signed by the party located in the European Union that intends to transfer personal data (the “data exporter”) and by the party located elsewhere that plans to receive that data (the “data importer”), and an annex used to describe the details of the data transfer. Once signed, the existing SCCs impose data protection obligations on the data importer designed to provide protections for the transferred personal data that are essentially equivalent to those provided under EU law.
Why Were New SCCs Needed?
Data exporters and importers around the globe have expected a new version of the Standard Contractual Clauses for at least five years. First, the enactment of the GDPR in 2016 made the existing SCCs outdated. These SCCs were based on the EU Data Protection Directive,4 the data protection legislation that pre-dated the GDPR. The existing SCCs did not address the many changes that the GDPR introduced to EU data protection law.
Second, in July 2020, the Court of Justice of the European Union (“CJEU”) issued a landmark ruling, popularly called “Schrems II”,5 that recognized the adequacy of the protections offered by existing SCCs for transferred EU personal data, but at the same time, emphasized that the receiving country’s laws could unduly undermine those protections.6 The CJEU opined that the parties to the agreement must evaluate whether local law or practices would permit government authorities excessive access to the transferred personal data. If so, the parties would be required to implement “supplemental measures” to ensure a level of protection for personal data essentially equivalent to that provided by the GDPR. Consequently, the new SCCs also were necessary, in part, to bolster the existing SCCs.
What Do The New SCCs Retain From The Existing SCCs?
Like the existing SCCs, the new SCCs can provide a means for companies to transfer personal data out of the EU. Although companies must still assess local laws in the data importer’s country and consider supplemental measures, the new SCCs, like the existing SCCs, provide at least a first step toward complying with the GDPR’s requirement to ensure adequate data protection.
In addition, the structure of the new SCCs will look familiar to those who have used the existing SCCs. Like the existing SCCs, the new SCCs consist first of standard clauses that the parties cannot modify. The standard clauses are followed by annexes that the parties must customize based on the details of the specific data transfer.
Finally, just as with the existing SCCs, the new SCCs can be incorporated into a larger contract, such as a master service agreement. The parties also can supplement the new SCCs with additional terms as long as those additional terms do not conflict with the standard clauses.
What’s New In The New SCCs?
The new SCCs introduced a wide range of additional requirements for data exporters and data importers. This section summarizes just the key changes. The first three subsections below describe changes that will streamline data transfers and the last three cover updates that impose new and onerous obligations.
- Increased Flexibility:
The new SCCs offer much-needed flexibility to handle data transfer arrangements. The existing SCCs only had versions for controller-to-controller data transfers, such as transfers from EU subsidiaries to a U.S. parent corporation, and controller-to-processor data transfers, e.g., transfers from EU subsidiaries to a U.S.-based performance review platform. In addition to covering these two situations, the new SCCs can be used for processor-to-sub-processor data transfers, i.e., transfers from a service provider to its subcontractors, and for transfers from a processor in the EU to a controller in a third country, for example, when a German payroll administrator for a German subsidiary uploads payroll data directly to the U.S. parent corporation. For companies that had to awkwardly shoehorn data transfers into the existing SCCs, the new options will come as a relief.
In its decision regarding the new SCCs, the European Commission also validated two common practices that have helped multinationals execute SCCs more efficiently. Multinationals often execute one Standard Contractual Clauses agreement among multiple subsidiaries. When subsidiaries join or leave the family of companies, the multinational simply adds or eliminates signatories, rather than formally amends the agreement. The European Commission designed the new SCCs to facilitate both common practices.
- The New SCCs Satisfy GDPR, Article 28(3):
The GDPR requires controllers, such as employers, to have their service providers (“data processors”) agree by contract to a set of provisions listed in Article 28(3). Because the existing SCCs pre-dated GDPR, they did not address all of the required clauses, forcing EU subsidiaries to execute with vendors located outside the EU a data processing agreement that satisfied both the Article 28(3) requirements and the existing SCCs. Because the new SCCs post-date GDPR, they address all of the Article 28(3) requirements, thereby eliminating the need for two agreements between EU subsidiaries and non-EU service providers.
- Schrems II Compliance:
As noted in the Section above, entitled “Why Were New SCCs Needed?”, the CJEU’s decision in Schrems II requires the parties to the SCCs to implement “supplementary measures” where warranted by an assessment of local law. Supplemental measures will be necessary where local law in the data importer’s country would allow public authorities to gain access to transferred EU personal data in a way that would undermine the SCCs’ protections.
The new SCCs include two provisions that address Schrems II concerns. First, the data importer must (a) warrant that local law does not interfere with its ability to comply with the SCCs, and (b) document its analysis of local law to support this warranty. The data importer must provide this documentation to relevant EU data protection regulators upon request.
Second, the new SCCs effectively require data importers to litigate government demands for production of transferred EU personal data through an appeal. Data importers also must notify, where legally permitted, the data exporter and, where feasible, the EU data subjects of the request by the government for personal data.
- New Documentation Requirements:
The new SCCs explicitly provide that the data importer “shall be able to demonstrate compliance with its obligations under these Clauses.” As noted in the preceding subsection on “Schrems II Compliance,” the new SCCs also impose on the data importer an obligation to provide documentation of compliance to the competent supervisory authority upon request.
- More Detailed Annexes:
The annexes to the new SCCs require far more detail than required under the existing SCCs. For example, the new SCCs require inclusion of retention periods for transferred EU personal data, an identification of additional protection for sensitive personal data, and a detailed description of the technical and administrative safeguards the data importer implements for transferred EU personal data. Due to the wide variety of human resources data that a multinational employer may transfer to a centralized human resources database in the U.S. and the extent of sensitive personal data, these requirements will lead to considerably more time needed to draft annexes.
- Greater Enforcement Risk For Data Importers:
Finally, several provisions in the new SCCs increase the risk to U.S. parent corporations of regulatory scrutiny in relation to transfers of EU employees’ personal data. Unlike the existing SCCs, the new SCCs emphasize that data importers are subject to the jurisdiction of EU supervisory authorities, and that EU residents may submit complaints against data importers to EU supervisory authorities and EU courts. Notably, the new SCCs require data importers to report data breaches directly to EU supervisory authorities, and several provisions require the production of compliance documentation upon request. A reported data breach will run the risk of a comprehensive review of the data importer’s documentation related to its data transfers.
These changes likely will come as an unwelcome shock to U.S. parent corporations that are not directly subject to the GDPR. In essence, the new SCCs carry GDPR-like risks and liability across the EU’s borders to data importers in the U.S. and other third countries.
What Should U.S. Multinational Employers Do Now?
Although U.S. multinational employers have more than 18 months to migrate to the new SCCs, they should not wait until late 2022 to start the process. Completing the annexes of the SCCs alone will take substantial time. The new SCCs also require dramatically enhanced safeguards and notice, reporting, and recording obligations. In addition, U.S. companies should bear in mind that the California Privacy Rights Act and Virginia Consumer Data Protection Act go into effect on January 1, 2023, which may also end up marking the end of the grace period for implementing the new SCCs. At many companies, this convergence of major new compliance obligations may lead to overwhelmed privacy and compliance departments by late 2022.
Over the next year, U.S. multinational employers should consider taking at least the following steps:
- Map Data Transfers: U.S. multinational employers should map all data transfers from their EU subsidiaries to gather the information needed to identify all existing SCCs that will need to be updated and to complete the new SCCs’ more detailed annexes.
- Conduct Schrems II Assessment of Local Law: The new SCCs effectively require the parties to conduct and document a detailed assessment of whether the laws and practices of the destination country prevent the data importer from fulfilling its obligations under the new SCCs’ standard clauses.
- Implement New Internal Policies and Procedures: The new SCCs impose numerous obligations on data importers, such as responding to requests from individuals to exercise their GDPR rights, purging personal data that no longer is needed for the purposes for which it was transferred, and litigating government requests to access transferred EU personal data. U.S. multinational employers likely will need to modify existing policies or implement new policies to fulfill these new obligations.
- Update Data Processing Notices: To address the new SCCs’ requirement that the parties provide more robust information to data subjects about cross-border data transfers, data processing notices provided to job applicants, employees, and others will need to be revised to include additional information about cross-border data transfers.
- Safeguards for Transferred Personal Data: Data importers must implement detailed technical and administrative safeguards for transferred EU personal data.