On June 4, 2021, the European Union’s (EU) govt department, the European Fee (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border information transfers beneath the EU’s Common Knowledge Safety Regulation (GDPR), ending a protracted await revised SCCs. The brand new SCCs resolve sure sensible points firms confronted when utilizing the older variations however concurrently introduce new obligations for companies that switch private information out of the EU. The EC additionally released a set of SCCs to handle GDPR Article 28 necessities for controller-to-processor private information transfers inside the European Financial Space (EEA). This weblog publish focuses on the SCCs developed for cross-border private information transfers.
SCCs are one of the vital generally used mechanisms for transferring private information out of the EEA to international locations that, like the US, are usually not thought of to supply “satisfactory” information safety beneath the GDPR. The EC’s current units of SCCs (adopted in 2001, 2004 and 2010) have been in want of an replace for a while. Points with the outdated SCCs vary from fundamental inaccuracies (for instance, they nonetheless reference the now-defunct 1995 EU Knowledge Safety Directive) to substantive issues affecting applicability, as they can not readily be utilized in lots of frequent switch situations.
The push to revise the SCCs solely elevated following the July 2020 Schrems II decision. Schrems II questioned the legitimacy of the SCCs – finally discovering them legitimate – and dismantled the EU-U.S. Privateness Protect Framework, placing stress on U.S. firms each to depend on SCCs for continued cross-border private information transfers from the EEA and to make use of SCCs extra judiciously and with acceptable regard for the EU Courtroom’s evaluation of U.S. privateness protections.
A big open query is how the European Knowledge Safety Board (EDPB) and Member State information safety authorities will interpret the necessities of Schrems II and implement compliance with the revised SCCs. Though the ultimate SCCs have in mind the EDPB’s feedback on the draft SCCs and “the opinion of Member States’ representatives,” the revised SCCs endorse a extra nuanced strategy to cross-border transfers than that allowed within the EDPB’s draft guidance on supplemental measures for cross-border data transfers. Ideally, we are going to see nearer alignment between these SCCs and the EDPB’s remaining steering on supplemental measures, which we anticipate the EDPB to subject within the coming weeks.
How Shortly Should the New SCCs Be Carried out?
Most companies may have roughly 18 months to transition to the brand new SCCs. The EC’s implementing choice lays out the next:
- On September 27, 2021, all prior variations of cross-border SCCs might be repealed and may now not be used for GDPR-compliant information transfers, and all new information transfers counting on the SCCs as an information switch mechanism should use the brand new SCCs to be able to be GDPR-compliant.
- Organizations with current SCCs in place may have till December 27, 2022, to implement the brand new SCCs, however supplemental measures could also be required by information controllers within the interim. Observe, nevertheless, that if the underlying settlement between the events is renegotiated or the scope of information processing is in any other case modified through the transition interval, the brand new SCCs should be applied at that time.
Key Sensible Updates
- The SCCs are offered as a single doc with 4 totally different modules relevant to varied relationships between the events: controller-controller, controller-processor, processor-processor and processor-controller.
- When the brand new SCCs are used for cross-border information transfers from an organization topic to the GDPR to an information processor or subprocessor, it would now not be essential to enter right into a separate information processing settlement, because the GDPR Article 28 necessities for these relationships are baked into the brand new SCCs.
- A number of controllers and processors might signal on to the identical set of SCCs, addressing a typical drawback with the outdated clauses, which solely contemplated a single exporter and a single importer as signatories.
- An optionally available docking clause permits events to be added as new signatories after the execution of a set of SCCs, topic to settlement of all events.
The flexibleness launched by these modifications ought to streamline the contracting course of by extra precisely capturing the relationships between the events and eliminating the necessity to implement a number of units of SCCs to cowl varied events inside the identical enterprise relationship.
Expanded Obligations for Knowledge Exporters and Knowledge Importers
New provisions within the SCCs squarely handle considerations articulated within the Courtroom of Justice of the European Union’s Schrems II choice, strengthening important safety measures, imposing limitations on disclosing private information to public authorities, and stipulating evaluation and audit processes to make sure compliance with the SCCs. Previous to implementing the revised SCCs, many U.S. companies may have some work to do to make sure compliance with these new obligations. U.S.-based information processors ought to anticipate extra questions from information controllers previous to SCC implementation, whereas information controllers must be ready to evaluate the power of different events to satisfy the obligations of the SCCs and the adequacy of any proposed supplemental measures. Relying on the info importer’s function, new obligations might require revisions to current public-facing privateness notices and procedures for responding to information topic requests, guaranteeing private information accuracy, commonly finishing up safety checks, accessing private information, reporting information breaches and retaining private information. All events to the SCCs ought to anticipate to imagine lively duty for monitoring compliance with the SCCs all through the connection.
- Redress and Third-Get together Beneficiary Rights. All information importers should transparently present EU information topics with an simply accessible contact approved to deal with complaints associated to compliance with the SCCs, and any such complaints should be handled promptly. If the info topic invokes third-party beneficiary rights and information a criticism, the info importer should agree to simply accept a binding choice beneath EU or Member State regulation. Observe as nicely that SCC signatories should comply with be sure by the legal guidelines of a rustic, sometimes an EU Member State, that permits third-party beneficiary rights.
- Knowledge Processing Objective Limitation. Whereas information processors have all the time been restricted to information processing solely on the specific directions of the info controller, the brand new SCCs additionally restrict information processing by importing controllers to the specific functions set out in Annex I.B of the SCCs, with restricted exceptions (together with prior specific consent, protection of authorized claims and safety of a person’s important pursuits).
- Onward Switch Restrictions. Onward transfers to international locations exterior the EEA, together with additional transfers inside the identical nation as the info importer, are restricted, with restricted exceptions (relying on the connection between the events) except the third-party recipient of the onward switch additionally agrees to the SCCs or can in any other case assure an equal degree of safety.
- Recordkeeping and Different Required Documentation. All events to the SCCs should be capable of reveal their compliance with the SCCs and should hold documentation of the info processing actions for which they’re accountable. Different events to the SCCs in addition to related supervisory authorities within the EU can request compliance documentation and could possibly audit the info importer’s compliance. Different required documentation contains information breach recordkeeping, processing directions for information processors, documented assessments of recipient international locations’ legal guidelines and practices, and inside information associated to public authority requests for information disclosures. Companies ought to be certain that this documentation is precisely maintained and may be produced simply whether it is requested.
Native Legal guidelines and Obligations in Case of Entry by Public Authorities
Two clauses in Part III of the revised SCCs handle a central subject raised in Schrems II (entry to information by public authorities). The primary requires all events to the settlement to evaluate third-country legal guidelines and to investigate the related information switch dangers. The second imposes new obligations on an information importer within the occasion of entry by a public authority.
- Third-Nation Assessments and Evaluation of Knowledge Switch Dangers. The brand new SCCs require that the native legal guidelines and practices of nations exterior the EEA should be assessed previous to implementation of SCCs. The evaluation should be documented and offered to supervisory authorities upon request. Though the info importer has main duty for finishing up this evaluation, all events should warrant that “they don’t have any motive to imagine” third-country legal guidelines “stop the info importer from fulfilling its obligations” beneath the SCCs. The SCCs permit the events to contemplate the particular circumstances of the private information switch, related safeguards in place to guard the private information, and non-EU legal guidelines and practices related to the info switch and processing.
Importantly, events might think about “dependable info on the applying of the regulation in observe,” “the existence or absence of requests in the identical sector,” and the info importer’s “related and documented sensible expertise with prior situations of requests for disclosure from public authorities, or the absence of such requests, protecting a sufficiently consultant time frame.” This implies events might subjectively analyze the importer’s threat of receiving disclosure requests – an strategy that the EDPB’s draft steering on supplemental measures expressly rejected (“you need to … not depend on subjective components such because the chance of public authorities’ entry to your information …”). Ought to any circumstances change the evaluation of the recipient jurisdiction such that the info importer can now not adjust to the SCCs, the info importer should promptly notify the info exporter, and the info exporter should take acceptable motion.
- Obligations in Case of Public Authority Entry Requests. The place an information importer receives a public authority’s request for information or in any other case “turns into conscious of” a public authority’s “direct entry” to information, the SCCs impose two obligations on the info importer. First, the importer should promptly notify the info exporter and, the place doable, the affected information topic(s). If the general public authority prohibits the importer from notifying the exporter or information topic, the importer should use its finest efforts to acquire a waiver of the prohibition.
Second, the importer should problem requests by public authorities if the importer concludes there are cheap grounds to contemplate the request illegal beneath “the legal guidelines of the nation of vacation spot, relevant obligations beneath worldwide regulation and ideas of worldwide comity.” These challenges should be aggressive, together with appeals if doable and efforts to droop disclosure orders till a reliable judicial authority has dominated on the deserves. The importer should doc its evaluation of potential challenges to a authorities request and its efforts to problem the request. The importer should additionally present common studies on requests obtained from public authorities.
Technical and Organizational Measures / Supplemental Measures
Knowledge exporters utilizing the SCCs should warrant that they’ve “used cheap efforts” to find out whether or not information importers can, “by means of the implementation of acceptable technical and organisational measures,” fulfill their obligations beneath the SCCs. Protections to assist safe private information should be in place throughout and following switch, and the suitable degree of safety may be assessed holistically with regards to the state-of-the-art, implementation prices, dangers to the person, and the character, scope, context and functions of the info processing. Further restrictions are beneficial when delicate private information is processed. In transfers between information controllers, the importing controller is assigned main duty for complying with the GDPR’s private information breach discover and recordkeeping necessities.
Annex II of the brand new SCCs requires an announcement concerning the technical and organizational measures taken to make sure the safety of non-public information. Companies must be ready to have this info accessible and up to date commonly. The safety info could also be redacted (not less than partly) if the SCCs should be disclosed in response to an information topic request, however provided that a significant abstract of the safety measure(s) is offered as an alternative. The SCCs additionally introduce clearer information retention necessities, and retention intervals should be listed in Annex I.
The SCCs alone might not assure primarily equal safety, and a switch evaluation is all the time required. Which means firms possible might want to think about the SCCs at the side of the EDPB’s (not-yet-final) guidance on supplementary measures to ensure an EU level of personal data protection and different related route from information safety authorities as such steering develops. As with the present SCCs, events can not modify the textual content of the brand new SCCs; nevertheless, supplementary measures should be required to make sure that the transferred private information receives a degree of safety primarily equal to that assured inside the EU. Drawing on GDPR Recital 109, the revised SCCs permit including “different clauses or extra safeguards” so long as these don’t both contradict the SCCs or “prejudice the basic rights or freedoms of information topics.”
What About the UK?
The brand new SCCs are not valid in the United Kingdom, so an organization can not use them for transfers from the UK to the US. Knowledge exporters in the UK can proceed to make use of any current EU SCCs that have been legitimate as of December 31, 2020, and the Schrems II choice and its evaluation necessities proceed to use in the UK. The UK’s Info Commissioner’s Workplace (ICO) plans to publish UK SCCs for cross-border information transfers, together with extra steering, in 2021. Within the meantime, the ICO has published versions of the older EU SCCs on its web site, with the references up to date to mirror UK regulation.
The EC’s adequacy choice with respect to the UK is just not but remaining. Lately, the European Parliament asked the European Commission to modify its draft decision on UK adequacy, echoing concerns raised by the EDPB associated to the UK’s bulk information surveillance and onward switch practices in addition to sure of its worldwide data-sharing agreements. The European Parliament’s decision included a request that Member State information safety authorities droop transfers of non-public information to the UK if the adequacy choice was applied with out revision. Following the Brexit transition interval, which ended on December 31, 2020, the EU and the UK agreed to a delay in information switch restrictions for as much as six months. The ICO recommended that UK companies receiving private information from the EEA put different switch mechanisms in place by the tip of April 2021. With the bridge interval rapidly coming to an finish later this month and no finalized adequacy choice in place, companies ought to think about whether or not they should revisit their EEA-United Kingdom transfers.