The European Commission has issued new “Standard Contractual Clauses” – or SCCs – for the transfer of personal data outside of the European Economic Area (including transfers to the United States) after September 27, 2021. Any existing contracts that incorporated the old version of the SCCs must be updated no later than December 27, 2022.
The EU’s General Data Protection Regulation (“GDPR”) protects the personal data of individuals in the European Economic Area (the EU plus Iceland, Liechtenstein, and Norway). Under the GDPR, protected information may be transferred to a country outside of the EEA only if the European Commission has made a determination that the laws of the third country ensure an adequate level of protection (an “adequacy decision”) or if there are “appropriate safeguards” and data subjects have “enforceable rights and effective legal remedies….”
Since there is no adequacy decision for the United States, U.S. recipients of GDPR-protected data must travel a narrow path to achieve “appropriate safeguards.” After the invalidation of the EU-US Safe Harbor in 2015 and the EU-US Privacy Shield in 2020, virtually the only practical alternative that remains is the SCCs published by the European Commission. (There are also “binding corporate rules,” but these can be used only between corporate affiliates or enterprises engaged in a joint economic activity.) The SCCs are contractual clauses – typically attached to a Data Processing Agreement – under which the data recipient agrees to protect the transferred information in accordance with GDPR requirements. The original SCCs were published in 2010 – before the GDPR became effective – and didn’t always fit the GDPR terminology or the facts of a transaction very well. However, because the clauses were non-negotiable under EU law and couldn’t be modified in any way, most companies simply attached them as an addendum to the data transfer agreement, often without reading them.
On June 4, 2021, the European Commission issued new SCCs. The Commission addressed the problem of the inflexibility of the old SCCs by structuring the new version with “modules” that can be swapped in and out depending on whether the transfer is from a “controller” (who determines the purposes for which the data will be processed) to a “processor” (who processes the data on behalf of the controller), controller to controller, processor to processor, or processor to controller. However, other than assembling the correct modules, the new SCCs also cannot be modified or negotiated.
Substantively, the new SCCs give data subjects greater rights, including rights to certain information and to redress for damages incurred with respect to their personal data. Data importers (in our case, the entity on the U.S. side of the data transfer) agree to the jurisdiction of the EU courts and to comply with applicable EU laws, submit to audits, and respond to inquiries.
From an operational point of view, the new SCCs include three Annexes that must be customized for each transaction to identify the parties, describe certain aspects of the data transfer, identify the appropriate EU supervisory authority, and describe the technical and organization processes that will be used to protect the data. If the data recipient is a processor who may transfer the data to one or more sub-processors, there is also an Annex in which to list pre-approved sub-processors.
Companies are not required to use the SCCs, but for the time being, the SCCs may be the most expeditious way to address the “appropriate safeguards” requirement. (In some cases, additional representations, warranties, or contractual commitments may also be required if necessary to protect the data under the specific facts of the transaction.) Parties entering into a new transaction on or after September 27, 2021 who wish to use the SCCs should identify the type of transfer they are making (controller to processor, controller to controller, processor to processor, or processor to controller) and prepare a version of the SCCs that contains the correct modules for that type of transfer. Parties who have used the old SCCs for transactions that are still ongoing should plan to amend their existing agreement to incorporate the new SCCs before December 27, 2022. Because amendments take time, companies that must update existing transactions should begin the process of identifying those transaction and communicating with counterparties soon.
Finally, because the new SCCs contain all of the required elements for a data transfer agreement under the GDPR, some commentators have suggested that the parties could enter into just the SCCs, without a separate Data Processing Agreement. While that is a possible option for a transaction in which all data transferred is subject to the GDPR, it would not be appropriate for a transaction that involved both EU and non-EU data. Therefore, in transactions involving data from multiple jurisdictions, we continue to recommend the use of a Data Processing Agreement to which an appropriate version of the SCCs is incorporated solely for the purpose of applying to the EU data.
Stay tuned: The new EU SCCs are not valid for transfers of personal data out of the United Kingdom. The UK’s Information Commissioner’s Office (“ICO”) published draft UK SCCs (called an International Data Transfer Agreement or IDTA) plus an Addendum to the EU SCCs that could be used for transactions that involved the transfer of personal data out of both the EU and the UK. There is a “consultation period” for the drafts until October 7, 2021, after which the ICO is expected to finalize the IDTA and the Addendum prior to the end of the year.