European Commission Approves New Standard Contractual Clauses for Transfer of European Personal Data

04 June 2021 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Aaron K. Tantleff Jennifer L. Urban Catherine Zhu

Earlier today, the European Commission approved and adopted a new version of the Standard Contractual Clauses (SCCs) that revises how data may be transferred by including additional privacy and legal safeguards. The remodeled approach is designed to provide companies with a means to more securely transfer data out of the European Economic Area (EEA). Companies worldwide have been looking forward to the new SCCs as thousands of businesses rely upon the SCCs for their daily operations, such as by cloud providers or internal processes including human resources.

In July 2020, the European Court of Justice (ECJ) stated that data transfers outside of the European Union (EU) relying upon the SCCs are prohibited if the exporter was not able to ensure an adequate level of data protection. This has put a burden on countless companies to reexamine their operations, as the consequences for violations under the European General Data Protection Regulation (GDPR)—which include fines of up to €20 million ($24.1 million) or four percent of annual global turnover (whichever is higher)—can be devastating for any company.

As a result, any company seeking to import data into the U.S. that wishes to rely upon the existing SCCs would have to review its existing protocols to ensure whether its current levels of protection are adequate and, if not, implement additional protocols designed to provide an adequate level of data protection. This could be an expensive and challenging effort to undertake for a number of businesses.

For many companies, the new SCCs will be a welcome sigh of relief with respect to the transfer of personal data. Just like the old SCCs, so long as they remain unmodified, the pre-approved standard approach taken in the new SCCs give companies a straightforward means to implement a legal basis for the protection and transfer of personal data. When utilizing the new SCCs, companies should take comfort in knowing that they are complying with the requirements set forth under the GDPR and have addressed the concerns raised under Schrems II.

Notwithstanding the actions by a company to adequately protect the data transfers, as noted, the ECJ stated that the data protection authorities would be able to suspend or prohibit data transfers, which puts many companies in a bind as they recognize that it might not be possible to adequately protect data in light of the laws of the U.S.

Thus, while the new SCCs is a welcome sigh of relief for many, it may only be temporary in the U.S. unless the U.S. addresses the EU’s concerns. Despite the comfort anticipated by the new SCCs, companies will still be required to evaluate data transfers on a case-by-case basis and may need to supplement the SCCs with additional security protocols based upon the nature and sensitivity of the data transferred.

What are the SCCs?

For those who are unfamiliar, the SCCs govern the transfer of data from the EEA to third countries that have not been deemed by the European Commission to provide “adequate” protections for data subjects’ rights and freedoms. While other alternative transfer mechanisms, such as Binding Corporate Rules and other derogations permitted under the GDPR, the SCCs have emerged as one of the predominant transfer mechanisms used by companies, especially in the aftermath of the Schrems II case last summer, where the ECJ struck down the EU-U.S. Privacy Shield Framework as an acceptable transfer mechanism.

Some Highlights

Companies will have approximately 18 months to replace all existing SCCs governing data transfers, which is likely a hefty administrative and operational task for many organizations.

The new SCCs takes a modular approach to data transfers. Specifically, they allow for not only controller-to-controller transfers and controller-to-processor transfers, but they also allow for processor-processor transfers and processor-controller transfers. This will enable companies greater flexibility in adapting the new SCCs for various data transfer scenarios.

The new SCCs also address concerns raised by the Schrems II case and set forth requirements of data importers related to government data access requests and requirements of data exporters to ensure adequate level protection of data for transferred data.

Next Steps

Due to the fact that the existing versions of the SCCs may only be used for another three months, companies that have relied upon the SCCs as a transfer mechanism should begin their process now of evaluating the requirements outlined in the new SCCs alongside their own internal protocols and those of any third party involved in the processing of personal data.

Companies will need to amend or replace all vendor agreements to comply with the new SCCs in addition to replacing all intra-affiliate agreements to the extent personal data is transferred between them. Companies should also develop a plan for implementing additional privacy and security protocols and controls that are consistent with the requirements of the new SCCs, including how law enforcement access requests will be granted and how transfer impact assessments will be conducted.

Ultimately, companies will need to replace their existing SCCs with the new SCCs as well as update their internal privacy and security program as required by the new SCCs within the next 18 months to avoid potential violations of the GDPR. For a number of organizations, this could be a substantial undertaking and will take significant time and effort to complete, as companies will need to determine what additional measures are required in the context of their business operations to practically comply with the new SCCs.

-------------------------------------------------------------------

For continuing coverage of this Foley News Alert topic as well as related insights, please visit our Privacy, Cybersecurity & Technology Law Perspectives blog on Foley.com. To receive updates directly in your inbox, click here to subscribe to the blog.

If you have questions about this alert or you would like to discuss this topic further, please contact your Foley attorney, one of the authors listed below, or another core member of Foley’s Cybersecurity Practice.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Insights