Data privacy: What's new in cross-border transfers? The Standard Contractual Clauses

The transfer of personal data between companies and countries is vital for smooth data processing operations. When transferring data out of the European Union, companies are required to comply with the General Data Protection Regulation (GDPR) which requires that any data that is transferred to a vendor in a third country for processing must receive the same level of protection as required by the EU. The GDPR specifically prohibits transfer of personal data to third countries that do not have an adequate level of data protection. To lawfully transfer data out of the EU to another country, the data controller must have a lawful mechanism in place to make the transfer. In the not-too-distant past, US companies primarily relied on Privacy Shield certification or the Standard Contractual Clauses in contracts with vendors to authorize that data transfer.

So long, Privacy Shield

That all changed last year, when the European Court of Justice found that Privacy Shield was non-compliant with the GDPR in the “Schrems II”¹ decision. When the court invalidated Privacy Shield as an adequacy mechanism in July 2020, this left the Standard Contractual Clauses (SCCs) — last revised in 2010 — as the primary data transfer mechanism available to US companies.

On June 4, 2021, the European Commission released new and significantly revised SCCs. The revisions considered the adoption of the GDPR in May 2018 and the July 2020 ruling in Schrems II. These updated SCCs will better meet operational data privacy requirements because they address the significant evolution of overall technology as well as the introduction of new data privacy regulations.

Summary of key changes for data privacy

1. All relationship scenarios are covered. The new SCCs now account for all possible controller and processor relationships including controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. The prior SCCs did not account processor-to-processor or processor-to-controller.
2. Allows for multiple parties in an agreement. Multiple parties can now join the agreement, to account for the multiple controllers, processors, and complex data streams that exist today.
3. Updates the clauses to comply with GDPR. This revision incorporates the GDPR requirements that were not in the prior version of the SCCs.
4. Schrems II requirements addressed. The SCCs now include accounting for how the third country’s laws affect the data importer’s ability to comply with the SCCs and how access requests from the third country’s law enforcement authorities are issued and processed by the government. Most significantly, organizations must conduct a transfer impact assessment to:
   • Determine the likelihood that public authorities will request access to the data being transferred and;
   • Identify the supplemental security measures that should be implemented to protect that data
5. Security measures improved. A data importer must comply with and monitor a list of specific technical and organizational measures identified in the SCCs to ensure that proper data security is in place to protect data.

Data privacy steps for your organization

There is an 18-month transition period to replace the existing data protection agreements that include the prior version of the SCCs. Now is the time to work with your legal and privacy teams to review existing contracts, conduct a risk assessment for internal transfers, implement any operational changes, and fulfill security obligations required to comply with the new SCC clauses. Having a clear understanding of data flows, inventory, and strategy to successfully monitor the export of data out of the EU will be vital to successful navigating this new set of data privacy rules.

¹ Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, Court of Justice of the European Union (CJEU)