European Commission Releases New Standard Contractual Clauses and Announces Compliance Deadlines
Important update for organizations transferring personal data out of the European Economic Area (“EEA”).
Organizations with data ties to Europe will need to undertake significant efforts to meet quickly approaching deadlines based on recent announcements. On June 4, the European Commission published its long-awaited revisions to Standard Contractual Clauses (“SCCs”). A couple weeks later, on June 21, the European Data Protection Board (“EDPB”) issued the final version of its recommendations on supplemental safeguards, which contain essential guidance on the use of the new SCCs.
The issuance of new SCCs and the publication of EDPB guidance significantly impact how US companies can transfer personal data outside of the EEA. The new SCCs replace the current SCCs, which many US companies have relied on for their cross-Atlantic data transfers. Organizations have until September 27, 2021, to begin using the new SCCs and must update all existing agreements with the new SCCs by December 27, 2022.
The adoption of the new SCCs and release of EDPB guidance come in the wake of the Court of Justice of the European Union (“CJEU”)’s 2020 ruling in the Schrems II (C-3111/18) case, which invalidated the EU-U.S. Privacy Shield, forcing companies to rely instead on SCCs or another approved mechanism for data transfers. If an organization has not updated its agreements since 2020 and they rely on the EU-U.S. Privacy Shield to transfer data, the company already faces legal risk.
In addition to invalidating the EU-U.S. Privacy Shield, the European Court’s ruling called into question the adequacy of the SCCs for data transfers to the U.S. The General Data Protection Regulation (“GDPR”) only allows for the transfer of EU personal data to a non-EU country when the parties have secured an adequate level of protection. Since the ruling, the European Commission has labored to create new guidance and SCCs that would adequately protect EU personal data.
To address the CJEU’s concerns as well as those raised by industry, the SCCs make a number of changes; they demand greater accountability and address additional possible data transfer scenarios.
Adequacy and Other Concerns
Under the EDPB’s June 2021 guidance, parties must guarantee that the data importer can fulfill its SCC obligations under the country’s laws where the importation will occur. The analysis involves a risk-based approach that requires the parties to document (1) the data transfer specifics, (2) the destination country’s laws and practices, and (3) additional safeguards the parties decide to implement.
The SCCs also require the data importer to notify the data exporter of any government access requests. When the country of import bars such notifications, the data importer must make every effort to obtain a waiver of the prohibition. In addition, data importers must assess whether they can legally challenge the government request for data. With these requirements, companies will want to ensure procedures are in place to respond appropriately to government data requests.
The SCCs further allow for greater customization by using four modules and introducing new standard clauses.
This approach creates different obligations for the parties based on the relevant data export scenario: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. These permutations include a greater breadth of processor scenarios than existed in the old SCCs.
Moreover, parties choosing to use the SCCs will no longer need to enter a data protection agreement or addendum, since the SCCs satisfy the legal requirements of Article 28 in the GDPR. As a result, SCCs may become part of a larger agreement or may be supplemented by additional clauses if no contradictions exist with the materials accompanying the SCCs.
The SCCs also introduce clauses that create greater flexibility and adaptability by:
- Anticipating use by data exporters outside the EU,
- Facilitating multi-party use by including an optional docking clause, which allows additional organizations to subscribe to the clauses, and
- Contemplating parties’ ability to choose, in some instances, the governing law and jurisdiction of any EU member state.
The new SCCs became effective June 27, 2021. Organizations have three months from the effective date to transition from using the old SCCs for new agreements. By December 27, 2022, all existing agreements (new and previously executed) incorporating SCCs must use the new SCCs.
This alert highlights a few of the changes brought about by newly adopted SCCs and EDPB guidance. The obligations and opportunities for companies under the SCCs are significant. The European Commission has only provided companies with a limited window to make the necessary changes. Kirton McConkie has the expertise to help you navigate these issues. Please let us know if you have any questions or concerns by reaching out to:
Lee A. Wright | firstname.lastname@example.org
Chad Grange | email@example.com
Rachel Naegeli | firstname.lastname@example.org
Robert Snyder | email@example.com