On June 4, 2021, the European Commission (the “EC”) adopted the highly anticipated updated Standard Contractual Clauses (the “Updated SCCs”) for international data transfers following the Court of Justice of the European Union’s Schrems II decision last summer, which invalidated the EU-US Privacy Shield . Although Schrems II ultimately upheld the use of SCCs as a lawful transfer mechanism under the EU’s General Data Protection Regulation (“GDPR”), the decision also noted that the receiving country’s laws could undermine the protections in the SCCs, creating great uncertainty and increased risk regarding use of SCCs for transfers of data between the EU and the U.S. The Updated SCCs will “address the realities made by modern business” by providing greater flexibility and protection for international data sharing.
With the Updated SCCs come both welcome and onerous requirements that businesses will need to consider as they adapt current contracts and data sharing practices to comply with the updates, as well as draft future data sharing agreements.
A Modular Approach: The Updated SCCs provide flexibility by addressing a variety of data sharing scenarios. Organizations may select clauses that more accurately reflect their data sharing. The old SCCs, which had been in place since prior to the GDPR going into effect, only provided clauses reflecting controller-to-controller and controller-to-processor data sharing schemes. The Updated SCCs now have been expanded to capture additional sharing arrangements, such as processor-to-processor and processor-to-controller. Additionally, organizations subject to the SCCs will have greater flexibility to enter and leave a data sharing arrangement without the need to formally update the SCCs, allowing organizations greater flexibility with transfer agreements between subsidiaries. This modular approach modernizes data sharing, allowing companies greater accuracy and flexibility in their arrangements.
GDPR, Article 28(3) Compliance: The General Data Protection Regulation (GDPR), effective May 2018, requires international data transfer contracts to contain certain provisions to adequately ensure the protection of EU personal data. Because the old SCCs existed prior to the GDPR, they did not meet all the Article 28(3) requirements, but were honored in the breach. The Updated SCCs streamline data processing agreements, as they fully address requirements under Article 28(3) allowing for a single agreement between EU organizations and services providers and business partners located outside the EU, instead of the previous two sets of SCCs that organizations often had to enter into for GDPR compliance.
Schrems II Impact: The Schrems II decision highlighted the need for additional protections, particularly to prevent non-EU states from having access to EU personal data. Supplemental measures were called for where local law in the data importer’s country would allow public authorities to gain access to EU personal data and effectively undermine the SCCs’ protections. The Updated SCCs address this with two provisions. First, an organization importing data must ensure that the local law will not interfere with its ability to adhere to the SCCs and provide documentation of its analysis. Second, if a government demands access to transferred EU personal data, the data importer must litigate such demands through an appeal, with the additional requirement of notifying the data exporter and even EU data subjects regarding such government requests.
Although the Updated SCCs greatly streamline data transfers, some of the requirements will prove burdensome and organizations must consider appropriate measures to ensure detailed and accurate review processes. For example, in light of the Schrems II impact, organizations will need to engage in additional documentation regarding each type of data transfer so that they can provide supervisory authorities the documentation on request. The Updated SCCs include Annexes requiring a greater amount of detail than the previous SCCs. Organizations should be prepared to include information relating to data retention, explanations regarding protective measures for sensitive data, descriptions of the administrative and technical safeguards relating to data importation, etc. for the transfer of EU personal data.
Moreover, the Updated SCCs carry a greater enforcement risk for data recipients. Now, EU residents can submit complaints against data importers and data importers will be directly subject to the law of EU supervisory authorities, although the Updated SCCs provide flexibility to agree on which EU member state law governs. With the greater risk of enforcement comes the need to maintain detailed records both justifying and tracking data transfers in the event an organization becomes the subject of a comprehensive review.
Organizations have three months to comply with the Updated SCCs. However, organizations relying on prior SCCs for existing data transfer arrangements will have a grace-period of 18 months to update their data transfer agreements. Nevertheless, the sooner organizations implement the Updated SCCs in new processing agreements, as well as agreements being negotiated, the better. Organizations should carefully review their data maps and determine what analysis and impact assessments need to be completed in light of the Schrems II impact.
 Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18 (Court of Justice of the European Union, 16 July 2020).