Thousands of U.S.-based companies that had self-certified under the 2016 EU-U.S. Privacy Shield Framework on the assumption that the program complied with EU regulators’ requirements regarding international transfers of personal information from the EU to the U.S., were left in shock after its invalidation by the Court of Justice in its July 16th 2020 ruling in the Schrems II case.
This didn’t come as much of a surprise to the international privacy community (see my 2018 article for the IAPP Privacy Advisor), given the number of concerns the EU Commission kept raising during each of its annual reviews of the program. The concerns centered around the administration of the program by the U.S. Department of Commerce, its enforcement by the Federal Trade Commission and, more generally, the robustness and sufficiency of the protections afforded to EU personal information – particularly from disclosure to various agencies of the U.S. Federal Government – once transferred to the U.S.
With the Privacy Shield gone, in order for these U.S.-based companies to continue to lawfully process the personal information of EU residents in the U.S. and beyond, they have had to resort to an alternative mechanism approved by the EU. One of these other mechanisms is the EU Commission’s Standard Contractual Clauses (SCCs), a/k/a the “Model Clauses”, which clauses were last amended under the EU Privacy Directive of 1995, a legislation which has since been replaced by the General Data Protection Regulation (GDPR) of 2016.
Needless to say, for these SCCs to continue to fulfill their role as a reliable mechanism for international data transfers – particularly in the wake of the Privacy Shield invalidation- they needed quite a refresh to bring them in line with the GDPR as well as with the new means of processing of personal data brought about by the advent of new technologies in recent years. This long awaited regulatory revamp is now a reality after the European Commission released a new set of draft SCCs on 12 November 2020.
The new set of draft clauses are mostly based on the Schrems II judgement and the European Data Protection Boards’s “recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.
Who is concerned by these new clauses?
Whereas the current SCCs can only be used for the transfer of personal data originating from the EU, the new SCCs can be used in several other situations to cover:
– Transfers from data exporters that are controllers in the EU
– to controllers in a third country (including the U.S.)
– to processors in a third country
– Transfers from data exporters that are processors in the EU
– to a sub-processor in a third country
– Transfers from controllers established in a third country subject to the GDPR (such as Canada) to processors outside the territorial scope of application of the GDPR (such as the U.S.), and
– Transfers from processors established in a third country subject to the GDPR to processors outside the territorial scope of application of the CDPR.
What obligations won’t be affected by the new SCCs?
The data exporter, assisted by the data importer, will still be required to consider the level of personal data protection in the third country
In addition, the data importer will continue to have an obligation to notify the data exporter of any inability they would have to comply with the SCCs.
Where the data exporter receives such a notification, they will have to either suspend data transfers, terminate the agreement, or notify the supervisory authority if the transfer continues after having received such a notice.
What new obligations will be imposed on the parties?
In line with GDPR requirements, the new SCCs contain new obligations on the parties:
– An obligation for both parties to evaluate whether the third country’s law is essentially equivalent to the GDPR, by performing a mini adequacy assessment.
– An obligation for the data exporter to assess and document the impact on the data of the transfer, and to make that documentation available to the competent supervisory authority on request.
– New factors to be considered by the data exporter in connection with the transfer: not only must they consider the law and practice in the third country, but also the duration of the contract, the scale and regularity of transfers, the length of processing chain and transmission channel used, the type of recipient, the purpose of the transfer and the nature of the data transferred.
– Stronger obligations on the data importer regarding attempts by third country public authorities to access personal data originating from the EU.
– Where additional safeguards are needed, the Commission strengthens the role of supervisory authorities. If a data exporter has reason to believe that a data importer cannot fulfil its SCC obligations, the data exporter may only continue transferring personal data if it puts in place additional safeguards in place. However, in that case, the data exporter must notify the supervisory authority of such additional safeguards, and provide full details of the safeguards adopted, which will be reviewed by the supervisory authority.
One of the gaps filled by the new clauses is that they address multiple situations by adding content to account for different types of relationships: controller to controller, controller to processor, processor to sub-processor and processor to controller. In that sense, they go further than the current SCCs, which only address situations where the data exporter in the EU is a controller.
In addition, the new clauses are aimed to be more flexible, as they include a possibility for new parties to access the draft SCCs via a « docking clause » at any time, through the execution by all parties of a specific Annex defining each party’s role and responsibilities in the processing. This allows a third country-based company to engage another processor without having to enter into a new set of SCCs, thus reducing the number of separate contracts the company has to sign.
Moreover, the new clauses are set to impose new obligations derived from the GDPR on data importers, sometimes going further than what is currently required to be included in contracts between controllers and processors, particularly in relation to audits and the processor’s cooperation obligations.
The new SCCs also establish an accountability principle, compelling both controllers and processors to agree to demonstrate their compliance with the clauses. Additionally, processors are required to keep records of any processing they accomplish on behalf of the controller.
When will these new clauses apply?
Parties to the current SCCs will have a one year transition period to set up the new clauses. During this one-year period, companies can continue to transfer data on the basis of the current SCCs.
Per the EDPB Recommendations and the Schrems II decision, data exporting entities are however advised to review the current contract documentation they have in place with companies outside the EU with which they share the personal information of EU residents and to consider, where appropriate, requesting additional assurances from recipients of such data regarding the safeguards used to protect the information.
—
This article was written in collaboration with Auriane Wilhelm