Earlier today, the European Commission approved and adopted a new version of the Standard Contractual Clauses (SCCs) that revises how data may be transferred by including additional privacy and legal safeguards. The remodeled approach is designed to provide companies with a means to more securely transfer data out of the European Economic Area (EEA). Companies worldwide have been looking forward to the new SCCs as thousands of businesses rely upon the SCCs for their daily operations, such as by cloud providers or internal processes including human resources.
In July 2020, the European Court of Justice (ECJ) stated that data transfers outside of the European Union (EU) relying upon the SCCs are prohibited if the exporter was not able to ensure an adequate level of data protection. This has put a burden on countless companies to reexamine their operations, as the consequences for violations under the European General Data Protection Regulation (GDPR)—which include fines of up to €20 million ($24.1 million) or four percent of annual global turnover (whichever is higher)—can be devastating for any company.
As a result, any company seeking to import data into the U.S. that wishes to rely upon the existing SCCs would have to review its existing protocols to ensure whether its current levels of protection are adequate and, if not, implement additional protocols designed to provide an adequate level of data protection. This could be an expensive and challenging effort to undertake for a number of businesses.
For many companies, the new SCCs will be a welcome sigh of relief with respect to the transfer of personal data. Just like the old SCCs, so long as they remain unmodified, the pre-approved standard approach taken in the new SCCs give companies a straightforward means to implement a legal basis for the protection and transfer of personal data. When utilizing the new SCCs, companies should take comfort in knowing that they are complying with the requirements set forth under the GDPR and have addressed the concerns raised under Schrems II.
Notwithstanding the actions by a company to adequately protect the data transfers, as noted, the ECJ stated that the data protection authorities would be able to suspend or prohibit data transfers, which puts many companies in a bind as they recognize that it might not be possible to adequately protect data in light of the laws of the U.S.
Thus, while the new SCCs is a welcome sigh of relief for many, it may only be temporary in the U.S. unless the U.S. addresses the EU’s concerns. Despite the comfort anticipated by the new SCCs, companies will still be required to evaluate data transfers on a case-by-case basis and may need to supplement the SCCs with additional security protocols based upon the nature and sensitivity of the data transferred.
For those who are unfamiliar, the SCCs govern the transfer of data from the EEA to third countries that have not been deemed by the European Commission to provide “adequate” protections for data subjects’ rights and freedoms. While other alternative transfer mechanisms, such as Binding Corporate Rules and other derogations permitted under the GDPR, the SCCs have emerged as one of the predominant transfer mechanisms used by companies, especially in the aftermath of the Schrems II case last summer, where the ECJ struck down the EU-U.S. Privacy Shield Framework as an acceptable transfer mechanism.
Companies will have approximately 18 months to replace all existing SCCs governing data transfers, which is likely a hefty administrative and operational task for many organizations.
The new SCCs takes a modular approach to data transfers. Specifically, they allow for not only controller-to-controller transfers and controller-to-processor transfers, but they also allow for processor-processor transfers and processor-controller transfers. This will enable companies greater flexibility in adapting the new SCCs for various data transfer scenarios.
The new SCCs also address concerns raised by the Schrems II case and set forth requirements of data importers related to government data access requests and requirements of data exporters to ensure adequate level protection of data for transferred data.
Due to the fact that the existing versions of the SCCs may only be used for another three months, companies that have relied upon the SCCs as a transfer mechanism should begin their process now of evaluating the requirements outlined in the new SCCs alongside their own internal protocols and those of any third party involved in the processing of personal data.
Companies will need to amend or replace all vendor agreements to comply with the new SCCs in addition to replacing all intra-affiliate agreements to the extent personal data is transferred between them. Companies should also develop a plan for implementing additional privacy and security protocols and controls that are consistent with the requirements of the new SCCs, including how law enforcement access requests will be granted and how transfer impact assessments will be conducted.
Ultimately, companies will need to replace their existing SCCs with the new SCCs as well as update their internal privacy and security program as required by the new SCCs within the next 18 months to avoid potential violations of the GDPR. For a number of organizations, this could be a substantial undertaking and will take significant time and effort to complete, as companies will need to determine what additional measures are required in the context of their business operations to practically comply with the new SCCs.
For continuing coverage of this Foley News Alert topic as well as related insights, please visit our Privacy, Cybersecurity & Technology Law Perspectives blog on Foley.com. To receive updates directly in your inbox, click here to subscribe to the blog.
If you have questions about this alert or you would like to discuss this topic further, please contact your Foley attorney, one of the authors listed below, or another core member of Foley’s Cybersecurity Practice.