The European Commission has published the hotly-anticipated revised Standard Contractual Clauses (SCCs), which will serve as the new framework for complying with the General Data Protection Regulation (GDPR). The new SCCs serve as a significant revolution, with the most noteworthy inclusion being a new requirement that the parties conduct a Schrems-inspired Transfer Impact Assessment (TIA).
The European Union’s GDPR has become the world’s most influential data privacy and security law. Maintaining compliance with the GDPR has been a top priority for businesses located all around the world. Companies who collect personal data subject to the GDPR may only transfer the relevant personal data outside of the EU to countries who have been approved to have adequate data protection laws in place or to importers who have established adequate safeguards to protect imported data. Unfortunately, many countries, including the United States, have not implemented data protection laws that satisfy the GDPR requirements, and thus, controllers and processors desiring to transfer personal data outside of the EU to these non-approved countries must rely on another mechanism to ensure compliance. Another approved method under the GDPR has been the usage of SCCs: standard form contracts that data importers and exporters can use to contractually ensure appropriate safeguards have been established. These SCCs are drafted and published by the European Commission.
Last summer, the Court of Justice of the European Union (CJEU) struck down an alternative framework for complying with GDPR, the EU-U.S. Privacy Shield. The court’s reasoning focused on the U.S.’s wide-reaching surveillance efforts, most notably through FISA Section 702 and Executive order 12333, which empowers the U.S. federal government to obtain data from certain businesses within the U.S., often with the goal of gaining intelligence on foreign nationals. This case has become known as Schrems II.
In the wake of Schrems II, it became clear that the European Commission would need to update the SCCs in order to comply with both GDPR and the court’s ruling. On June 4, 2021, the final version of the new SCCs was published. These new SCCs aim to align more closely with the language of GDPR and address the CJEU’s findings in Schrems II.
What Exactly Has Changed?
A Modular Approach. Previously, there were only two SCC forms published by the European Commission: one for controller to controller data transfers and one for controller to processor data transfers. The new SCCs include four forms for different transfers: controller to controller, controller to processor, processor to processor, and processor to controller.
Transfer Impact Assessment. Also known as Schrems Privacy Impact Assessments, TIAs will be required in order to assess whether the laws of the country where data is to be imported will compromise the protections afforded to the data subject through the SCCs and GDPR. In considering whether the SCCs’ effectiveness will be undermined by the local laws of the importing country, the parties will likely be able to consider such factors as the data importer’s previous experience in receiving governmental requests for data, the consistency of enforcement of the relevant local laws, and the likelihood that the data importer will receive a governmental request for data in light of the data importer’s industry. The European Commission’s final recommendation of factors to consider in a TIA is yet to be published. If the parties find that the local laws of the recipient country will compromise the protections granted by the SCCs, then the parties must implement technical and organizational measures to ensure an appropriate level of security. If such measures cannot be implemented, then the transfer shall not occur.
Data Access Requests. Under certain circumstances, data importers may be required to notify the data exporter upon the receipt of a data access request. Additionally, the data importer may be compelled to examine the legal validity of the request and mount a legal defense against the request.
Onward Data Transfers. The new SCCs allow for onward transfers of subject data if certain conditions are met. Most notably, if the data subject provides consent, if the recipient country is deemed to provide an adequate level of protection for personal data, or if the recipient agrees to be bound by the SCCs or otherwise ensures the same level of protection as the SCCs, then onward transfers are generally permitted.
Data Subject Requests. Data subjects are granted several rights, including the right to request copies of the SCCs upon request and the right to be informed of any change in the purpose for processing or the identity of any third-party recipient. However, the right to request is limited, as the importer and exporter are permitted to redact the provided copy to the extent needed to protect confidential information. In response, the data subject can request the reasons for the redactions.
Annexes. The new SCCs include three annexes to be attached to the Appendix. Annex I shall include a list of the parties, a description of the transfers, and the identity of the supervisory authority for the parties. The parties are encouraged to complete a new version of Annex I for every individual category of data transfer.
Annex II is to be completed by the data importer. It is to include a description of the technical and organizational measures to be implemented for the transfer(s).
Annex III is to list the sub-processors whose service is employed by the processor, if applicable.
Transitional Period. The European Commission is granting an 18 month grace period to transition to the new SCCs. Thus, all SCC relationships must implement the new SCCs by December 2022. During this transitional period, parties are allowed to use the old SCCs in existing relationships. In agreements currently being negotiated, the old SCCs can only be used if negotiations are finalized within the next three months. If the relationship is likely to last beyond December 2022, however, it may be best practice to simply adopt the new SCCs now rather than adopt an amendment later.
Identify All Current Effective SCCs. Entities that use SCCs for data transfers should identify all current effective SCCs that they have in place. Additionally, entities should make note of any potential future relationships that will rely on SCCs. Implicated entities should also assess and record the categories of data transfers being conducted under these agreements and the roles of the parties as processor, controller, sub-processor, or other third-party.
Impact of Local Laws. Implicated entities should be prepared to assess and record where the data importer(s) are located, whether the importing country is deemed to provide an adequate level of protection for personal data, whether the new SCCs will be sufficient to provide an adequate level of protection for the data subject’s data, whether other technical and organizational safeguards will be required, and whether such necessary technical and organizational safeguards exist.
Recommendation to Update DPAs. The new SCCs will likely require significant updates to businesses’ Data Processing Agreements/Addendums (DPAs). Form DPAs will need to be updated to reflect the changes that have been implemented into the new SCCs.
Need assistance updating your DPA or navigating through the requirements of GDPR or the new SCCs? Reach out to the McGrath North Privacy and Cybersecurity team who has the experience and knowledge to guide you through these complex and burdensome rules in an efficient and tailor-made manner.