Prepare Now to Transition to New Standard Contractual Clauses for Cross-Border Data Transfers
Data Privacy & Security 06/10/21 Gregory J. Leighton, Bari L. Rascoe
On June 4, 2021, the European Commission adopted the long-awaited update to the Standard Contractual Clauses (SCCs). Companies that engage in outgoing transfers of data from the European Union (EU) and the European Economic Area (EEA) are required to revise the vast majority of their customer and vendor agreements to account for the new SCCs regime. However, this is not as simple as merely substituting the old SCCs with the new ones. The new SCC framework requires companies to undertake a substantive analysis of the specific transfer taking place. That analysis must be documented within the new SCCs themselves before execution. Companies have three months to begin using the new SCC framework for new data transfers and eighteen months to begin using them for existing transfers. This means that organizations need to overhaul their usage of the SCCs no later than the beginning of 2023.
Companies will have an array of new benefits and burdens in using the new SCCs for transatlantic data transfers. The new SCCs address a gap in data transfer processes which exists under the current SCC structure. This new structure offers much needed flexibility by taking a modular approach. The modular approach allows companies to select certain sets of clauses that are relevant to the types of transfers that may be occurring, including controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers. In taking this modular approach, the new SCCs now cover all major data transfer scenarios. In preparing to execute the new SCCs, organizations will need to select the module clauses that apply to their specific circumstances.
The new SCCs also contain an array of other new features (some beneficial, some burdensome), such as:
- More than two parties can adhere to the new SCCs and additional parties can accede throughout the cycle of the SCCs;
- The data exporter does not need to be established in the EEA;
- The parties are able to select the law of one of the member states of the EU to govern the SCCs;
- With certain exceptions, data subjects are able to invoke the new SCCs as third-party beneficiaries (therefore the law chosen as governing the SCCs must allow for third-party beneficiary rights);
- The parties must now warrant to each other that they have no reason to believe that the laws in the country of destination applicable to the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under the SCCs;
- In providing the above warranty, the parties must take into account the specific circumstances of the transfer, the laws of the country of destination relevant in light of the circumstances of the transfer, and any safeguards in addition to those under the new SCCs; and
- It obligates the data importer in cases of a government access request to (1) notify the data exporter of such requests, (2) review the legality of the request, and (3) provide only the minimum amount of personal information permissible when responding to a request for disclosure.
Although the new SCCs provide flexibility, use of the SCC’s also creates substantial new compliance obligations. Of primary note, the new SCCs incorporate the concept of a substantive legal analysis, derived in large part from the European Court of Justice’s decision and stated concerns in the Schrems II decision last year. The new SCCs require data exporters and importers to conduct and document a comprehensive, fact-specific assessment to determine whether the data importer can guarantee an adequate level of data protection pursuant to GDPR sufficient to permit reliance on the SCCs (Schrems Analysis). In conducting a Schrems Analysis, the specific circumstances of the contemplated data transfer needs to be taken into account, as well as the laws of the country where the data importer is located, especially with regard to potential access by the government or other public authorities to the personal data. As a result, businesses can no longer merely execute SCCs to be in compliance with GDPR’s cross-border transfer requirements – the parties must first analyze whether the SCCs are sufficient for any given data transfer. EU regulators will undoubtedly be looking for an organization’s Schrems Analysis when assessing reliance on SCCs for data transfers.
Organizations that are transferring EU personal data out of the EU or EEA and need to continue doing so need to quickly take the following steps towards compliance:
(1) Develop a process to begin use of new SCCs for new transfers no later than September 4, 2021;
(2) Analyze existing vendor and other applicable contracts to identify those that currently contain SCCs;
(3) Perform and document a Schrems Analysis for each applicable data transfer; and
(4) Prepare and execute a new set of SCCs for each applicable data transfer.
Given the magnitude of these tasks for most organizations and the relatively short grace period to complete them, we recommend getting started immediately.
For more information about how the new SCCs and its requirements may apply to your business, contact your local Quarles & Brady attorney or members of our Data Privacy & Security Team: