On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S.
Companies that have in the past relied on the U.S. Privacy Shield to transfer data from the EU to the U.S. will need to pay particular attention to the new SCCs and guidance. The decision in the Schrems case (discussed previously in this blog) invalidated the Privacy Shield, requiring companies to turn to SCCs to ensure their data transfers complied with GDPR requirements.
The guidance issued by the Commission makes clear that in implementing the new SCCs, companies must take steps to put in place practices that enhance the effectiveness of data protections to bring them closer to essential equivalence with EU protections. This guidance is complex, and means that companies will need to:
The draft new SCCs combine modular provisions companies will select from, with a number of general provisions which all companies will use.
Companies will choose from the modular provisions based on their status as controllers or processors under the GDPR, choosing the module clauses that apply to their situation and tailoring their obligations under the SCCs to their respective roles and responsibilities.
The general clauses address several requirements including, among others, the obligation that parties ensure that the data protection laws in the receiving country – including any requirements to disclose personal data or measures authorizing access by public authorities – do not prevent the data importer from fulfilling its obligations under the SCCs. They also address the data importer’s obligations with respect to government access requests, requiring the importer to notify the exporter when such requests are received, to review whether they are legal, and to limit the data they provide to the minimum permissible under the law. The SCCs provide for a redress mechanism for data subjects.
The general clauses also address obligations of the parties in the event the data importer is unable to comply with the SCCs and the termination of the SCCs. They clarify the parties’ ability to choose the law of one of the EU Member States to govern the SCCs; and the choice of forum and jurisdiction in the event of a dispute arising from them.
During the one-year transitional period from the adoption of the new SCCs, controllers and processors may continue to rely on the existing SCCs if during that time the contract is not changed. However, companies can include additional measures in their contracts to ensure that the transfer of personal data is subject to appropriate safeguards.
Companies must provide data subjects with a copy of the SCCs upon request and inform them of any change in the purpose of processing or the identity of any third party with whom data is shared. When data is transferred to additional recipients in third countries, transfers are allowed only if the recipient accedes to the SCCs; protection of transferred personal data is ensured by other means; or the data subjects have been informed and provided explicit consent.
The SCCs are open for public consultation until December 10, 2020 and are expected to be adopted in early 2021.
Schedule a Free Consultation to review these guidelines and how to implement to remain in Compliance in the EU.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.