On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S.
Companies that have in the past relied on the U.S. Privacy Shield to transfer data from the EU to the U.S. will need to pay particular attention to the new SCCs and guidance. The decision in the Schrems case invalidated the Privacy Shield, requiring companies to turn to SCCs to ensure their data transfers complied with GDPR requirements.
The guidance issued by the Commission makes clear that in implementing the new SCCs, companies must take steps to put in place practices that enhance the effectiveness of data protections to bring them closer to essential equivalence with EU protections. This guidance is complex, and means that companies will need to:
Companies will choose from the modular provisions based on their status as controllers or processors under the GDPR, choosing the module clauses that apply to their situation and tailoring their obligations under the SCCs to their respective roles and responsibilities.
The general clauses address several requirements including, among others, the obligation that parties ensure that the data protection laws in the receiving country – including any requirements to disclose personal data or measures authorizing access by public authorities – do not prevent the data importer from fulfilling its obligations under the SCCs. Additionally, they outline the data importer’s obligations concerning government access requests. These obligations include notifying the exporter upon receiving such requests, reviewing their legality, and restricting the data provided to the minimum permissible under the law. The SCCs provide for a redress mechanism for data subjects.
The general clauses also address obligations of the parties in the event the data importer is unable to comply with the SCCs and the termination of the SCCs. Also, they clarify the parties’ ability to choose the law of one of the EU Member States to govern the SCCs; and the choice of forum and jurisdiction in the event of a dispute arising from them.
Controllers and processors may continue to rely on the existing SCCs during the one-year transitional period from the adoption of the new SCCs, provided they do not change the contract during that time. However, companies can include additional measures in their contracts to ensure that the transfer of personal data is subject to appropriate safeguards.
Upon request, companies must provide data subjects with a copy of the SCCs and inform them of any change in the purpose of processing or the identity of any third party with whom data is shared. Then, when data is transferred to additional recipients in third countries, transfers are allowed only if the recipient accedes to the SCCs; protection of transferred personal data is ensured by other means; or the data subjects have been informed and provided explicit consent.
The public can provide feedback on the SCCs until December 10, 2020, and authorities expect to adopt them in early 2021.
Schedule a Free Consultation to review these guidelines and how to implement to remain in Compliance in the EU.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.