Update on Personal Data Transfers from the European Union – New Standard Contractual Clauses
The European Commission (EC) recently finalized new Standard Contractual Clauses (SCCs), updating a method used by many companies to lawfully transfer personal data out of the European Union (EU) under the EU General Data Protection Regulation (GDPR). Please read below for the steps you can take now to prepare for this change.
What are the SCCs?
Under the GDPR, companies that transfer personal data out of the EU to the United States must ensure appropriate safeguards are in place. Previously, the EU-U.S. Privacy Shield was a widely adopted measure for complying with this requirement. However, in July 2020, the Court of Justice of the European Union invalidated the EC’s adequacy decision for the EU-U.S. Privacy Shield, meaning that it could no longer be relied upon to meet the GDPR’s data transfer requirement. That decision, referred to as Schrems II, prompted many businesses in the U.S. to turn to SCCs as an alternative data transfer mechanism.
How are the new SCCs different from the old SCCs?
The new SCCs replace clauses that are, in some cases, over 20 years old. They take into account developments in European data protection law, including the adoption of the GDPR and the Schrems II decision.
The new SCCs employ a modular design that allows parties to choose the module that is most applicable to the transfer scenario, which in turn allows for a more tailored set of obligations than was previously possible under the old SCCs. The modules are:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3) (previously not available)
- Processor-to-controller transfers (Module 4) (previously not available)
Other notable updates include:
- Addressing the concerns raised by Schrems II, the new SCCs impose a duty on parties to prepare a data transfer impact assessment. The data transfer impact assessment must:
- Analyze whether the laws and practices of the data importer country will interfere with the parties’ ability to comply with their obligations under the SCCs.
- Address the circumstances of the transfer, including the type of data involved and the safeguards in place, and early indications from regulators suggest that parties will be expected to offer a detailed analysis to substantiate their reasoning.
- Parties must detail the measures taken to safeguard the security of transferred data “in specific (and not generic) terms.” Although an extensive list of proposed safeguards is baked into the SCCs, parties can consider the nature, scope, context and purpose of the processing, and the risks to the rights and freedoms of natural persons, in determining the measures to implement. Vendors and customers will need to align on the specific, technical, measures employed to safeguard the cross-border transfer of data at issue.
- The new SCCs give greater rights to data subjects, who may now enforce provisions of the new SCCs against both the data importer and the data exporter. Under the old SCCs data subjects were only able to enforce rights against the data importer in limited circumstances.
- The new SCCs add a “docking” clause which permits additional controllers and processors to agree to the SCCs after an agreement is already in place. This update will allow more than two parties to be bound to the SCCs during the lifecycle of a contract.
What about transfers involving the UK?
The Information Commission’s Office has said that it intends to publish its own set of “UK SCCs” in 2021, and has issued guidance that the old SCCs will remain a valid mechanism for transfers from the UK until it does so. Accordingly, parties should not rely the new SCCs for transfers from the UK to countries that are outside of the European Economic Area.
Can we continue using the old SCCs?
Companies can use the old SCCs until September 27, 2021. Transfers relying on the old SCCs (if such SCCs are put in place before September 27, 2021) can continue to do so through December 27, 2022, provided the processing taking place does not change. However, beginning September 27, 2021, parties must begin using the new SCCs for all new transfers.
What should we do now?
Although the grace period will provide parties time to transition existing agreements to the new SCCs, companies should begin to assess how to update arrangements going forward. Because the modules offered by the new SCCs allow parties to tailor the clauses and obligations that apply to their relationship, this exercise may not be as straightforward as simply swapping the old clauses for the new. Moreover, parties that routinely engage in cross-border transfers of data will need to start thinking about a forward-looking strategy to employ the new SCCs in future contracts. To get ready for this transition parties should take stock of transfers that rely on the SCCs and confirm the roles of the parties and the underlying data flows.
Companies, particularly U.S.-based service provider processors that will be importing data from the EU, will need to develop a plan to meet the obligations imposed by the new SCCs and a strategy to efficiently integrate those updates into their global privacy compliance program, including how to assist EU-based customers in preparing the necessary data transfer impact assessment. Consumer-facing companies, on the other hand, that are not established in the EU should evaluate how they collect and import data directly from EU-based data subjects as those transfers fall outside the scope of the SCCs. In either case, companies should contact their Gunderson attorney to discuss their options.
How can GD help?
Compliance with the new SCCs requires a detailed analysis of the measures in place to ensure the security of transferred data. For assistance with that process, or if you have any questions regarding this client alert, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts:
Anna Westfelt 650-463-5367 [email protected]
Katherine Gardner 212-430-3188 [email protected]
Cecilia Jeong 646 490 9094 [email protected]
Frida Alim 415-801-4921 [email protected]
James Gately 617-648-9313 [email protected]