As we reported last year, the invalidation of the EU-U.S. Privacy Shield on July 16, 2020 is forcing the hand of U.S. companies which access the personal data of EU residents to find a new, lawful mechanism by which to do so in accordance with EU data protection laws. One such alternative – the use of the EU’s standard contractual clauses (SCCs) (a/k/a “Model Clauses”) – was recently bolstered by much-needed proposed updates to the clauses themselves.
On November 12, 2020, the European Commission issued two “draft implementing decisions” designed to align the SCCs with the EU’s current privacy law, the General Data Protection Regulation (GDPR). Following a period of public consultation on these proposals, which concluded on December 21, 2020, the new set of SCCs are finally expected to be approved by the EU Commission and enacted in the coming months. Accordingly, any U.S. company which handles EU data as an importer or data processor is encouraged to begin making preparations in order to meet new responsibilities that will come with the updated SCCs.
First enacted under the EU’s Privacy Directive of 1995 and last amended in 2010, the SCCs give companies a means by which to legally transfer EU data to any location outside the EU. The SCCs are essentially a set of non-negotiable contract provisions which bind a data importing entity based outside the EU to process EU data in accordance with the law of the EU Member State in which the data exporting entity is established. Although the SCCs have been available for some time, many U.S. companies opted to rely on other validating mechanisms considered easier to implement, such as the Safe Harbor between 2000 and 2015, followed by the 2016 Privacy Shield which offered a convenient self-certification process under the administration of the U.S. Department of Commerce.
However, with the adoption of the 2018 General Data Protection Regulation (GDPR) and its stringent data collection rules, the EU’s position on data privacy shifted dramatically. In time, the European Court of Justice concluded that the Privacy Shield was no longer an effective validation mechanism because it failed to address ongoing EU concerns over the level of its enforcement by the Federal Trade Commission. Likewise, EU authorities began to question the Shield’s effectiveness in protecting EU data against access by various U.S. governmental agencies. Along with the decision to revoke the Shield came the need to align the SCCs with the provisions of the GDPR.
Key Changes to SCCs
The new SCCs, which are expected to be adopted early this year, take into account the complexities of modern international data processing chains by offering both general provisions and a number of modular provisions from which to choose based on the unique nature of the transfer and processing relationship between the parties.
- One set of rules with different options
Unlike the existing SCCs which include 2 different sets of rules, the new SCCs consist of one set of rules, with flexibility to choose those modular provisions which best suit the parties’ contractual relationship. There are 4 specific transfer scenarios included:
- Controller to Controller
- Controller to Processor
- Processor to Processor*
- Processor to Controller*
* the existing SCCs do not address these situations
- Government Access to EU Data
There are several provisions which discuss how the data importer must handle requests for access to EU data from government authorities, such as under the U.S. Patriot Act. Essentially, the new SCCs do not excuse the data importer from fulfilling its obligations under the SCCs in the event of a binding government act. Further, importers will be required to notify the exporter about the government’s access request so that the legality of such requests can be reviewed.
- New protections added
The new SCCs include provisions relating to redress by EU data subjects, indemnification in the event of a breach by either party, audit rights for the supervising EU data authority, and a termination right for exporters if the importer is deemed unable to meet its obligations. Also, choice of law and choice of forum clauses have been included.
- Special Categories of Data
The existing SCCs only cover the limited number of categories of sensitive data defined in the 1995 Data Protection Directive; whereas the new SCCs will align on the broader definition of such categories provided for under the GDPR. Likewise, the new SCCs will allow contracting parties to select the applicable categories of data when drafting their processing agreement.
- Exhibits to the SCCs
The new SCCs offer new annex options, including an exhibit intended to list all sub-processors who may handle the imported data in support of the processor.
- New Obligations on Data Importers
The new clauses are set to impose new obligations derived from the GDPR on data importers, sometimes going further than what is currently required to be included in contracts between controllers and processors, particularly in relation to audits and the processor’s cooperation obligations.
The new SCCs also establish an accountability principle, compelling both controllers and processors to agree to demonstrate their compliance with the clauses. Additionally, processors are required to keep records of any processing they accomplish on behalf of the controller.
Once adopted, companies will have 12 months to replace existing SCCs with the newly enacted version. U.S. companies are advised to start preparing now for the new responsibilities for data processors and importers that will come with the new SCCs. Furthermore, given the fact that, unlike the Privacy Shield, the SCCs (including the current ones) are subject to EU law, U.S. companies may wish to retain counsel to review their responsibilities under applicable EU laws. If you have questions about the new SCCs or about the EU's privacy laws in general, please contact Stephan Grynwajc at email@example.com or 347-543-3035.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. firstname.lastname@example.org