On June 4, 2021, the European Union’s (EU) government department, the European Fee (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border information transfers below the EU’s Basic Knowledge Safety Regulation (GDPR), ending a protracted look forward to revised SCCs. The brand new SCCs resolve sure sensible points corporations confronted when utilizing the older variations however concurrently introduce new obligations for companies that switch private information out of the EU. The EC additionally released a set of SCCs to handle GDPR Article 28 necessities for controller-to-processor private information transfers inside the European Financial Space (EEA). This weblog submit focuses on the SCCs developed for cross-border private information transfers.
SCCs are some of the generally used mechanisms for transferring private information out of the EEA to international locations that, like the US, are usually not thought-about to supply “ample” information safety below the GDPR. The EC’s present units of SCCs (adopted in 2001, 2004 and 2010) have been in want of an replace for a while. Points with the previous SCCs vary from fundamental inaccuracies (for instance, they nonetheless reference the now-defunct 1995 EU Knowledge Safety Directive) to substantive issues affecting applicability, as they can’t readily be utilized in lots of frequent switch situations.
The push to revise the SCCs solely elevated following the July 2020 Schrems II decision. Schrems II questioned the legitimacy of the SCCs – finally discovering them legitimate – and dismantled the EU-U.S. Privateness Defend Framework, placing strain on U.S. corporations each to depend on SCCs for continued cross-border private information transfers from the EEA and to make use of SCCs extra judiciously and with applicable regard for the EU Court docket’s evaluation of U.S. privateness protections.
A major open query is how the European Knowledge Safety Board (EDPB) and Member State information safety authorities will interpret the necessities of Schrems II and implement compliance with the revised SCCs. Though the ultimate SCCs take into consideration the EDPB’s feedback on the draft SCCs and “the opinion of Member States’ representatives,” the revised SCCs endorse a extra nuanced strategy to cross-border transfers than that allowed within the EDPB’s draft guidance on supplemental measures for cross-border data transfers. Ideally, we’ll see nearer alignment between these SCCs and the EDPB’s ultimate steering on supplemental measures, which we anticipate the EDPB to subject within the coming weeks.
How Rapidly Should the New SCCs Be Applied?
Most companies may have roughly 18 months to transition to the brand new SCCs. The EC’s implementing resolution lays out the next:
- On September 27, 2021, all prior variations of cross-border SCCs shall be repealed and might not be used for GDPR-compliant information transfers, and all new information transfers counting on the SCCs as an information switch mechanism should use the brand new SCCs so as to be GDPR-compliant.
- Organizations with present SCCs in place may have till December 27, 2022, to implement the brand new SCCs, however supplemental measures could also be required by information controllers within the interim. Word, nevertheless, that if the underlying settlement between the events is renegotiated or the scope of information processing is in any other case modified throughout the transition interval, the brand new SCCs have to be carried out at that time.
Key Sensible Updates
- The SCCs are offered as a single doc with 4 totally different modules relevant to numerous relationships between the events: controller-controller, controller-processor, processor-processor and processor-controller.
- When the brand new SCCs are used for cross-border information transfers from an organization topic to the GDPR to a knowledge processor or subprocessor, it’s going to not be essential to enter right into a separate information processing settlement, because the GDPR Article 28 necessities for these relationships are baked into the brand new SCCs.
- A number of controllers and processors might signal on to the identical set of SCCs, addressing a standard downside with the previous clauses, which solely contemplated a single exporter and a single importer as signatories.
- An elective docking clause permits events to be added as new signatories after the execution of a set of SCCs, topic to settlement of all events.
The flexibleness launched by these adjustments ought to streamline the contracting course of by extra precisely capturing the relationships between the events and eliminating the necessity to implement a number of units of SCCs to cowl numerous events throughout the similar enterprise relationship.
Expanded Obligations for Knowledge Exporters and Knowledge Importers
New provisions within the SCCs squarely tackle considerations articulated within the Court docket of Justice of the European Union’s Schrems II resolution, strengthening important safety measures, imposing limitations on disclosing private information to public authorities, and stipulating evaluation and audit processes to make sure compliance with the SCCs. Previous to implementing the revised SCCs, many U.S. companies may have some work to do to make sure compliance with these new obligations. U.S.-based information processors ought to anticipate further questions from information controllers previous to SCC implementation, whereas information controllers ought to be ready to evaluate the flexibility of different events to satisfy the obligations of the SCCs and the adequacy of any proposed supplemental measures. Relying on the info importer’s function, new obligations might require revisions to present public-facing privateness notices and procedures for responding to information topic requests, guaranteeing private information accuracy, commonly finishing up safety checks, accessing private information, reporting information breaches and retaining private information. All events to the SCCs ought to anticipate to imagine lively duty for monitoring compliance with the SCCs all through the connection.
- Redress and Third-Social gathering Beneficiary Rights. All information importers should transparently present EU information topics with an simply accessible contact licensed to deal with complaints associated to compliance with the SCCs, and any such complaints have to be handled promptly. If the info topic invokes third-party beneficiary rights and information a grievance, the info importer should agree to simply accept a binding resolution below EU or Member State legislation. Word as effectively that SCC signatories should comply with be certain by the legal guidelines of a rustic, usually an EU Member State, that enables third-party beneficiary rights.
- Knowledge Processing Function Limitation. Whereas information processors have at all times been restricted to information processing solely on the specific directions of the info controller, the brand new SCCs additionally restrict information processing by importing controllers to the specific functions set out in Annex I.B of the SCCs, with restricted exceptions (together with prior specific consent, protection of authorized claims and safety of a person’s very important pursuits).
- Onward Switch Restrictions. Onward transfers to international locations outdoors the EEA, together with additional transfers throughout the similar nation as the info importer, are restricted, with restricted exceptions (relying on the connection between the events) until the third-party recipient of the onward switch additionally agrees to the SCCs or can in any other case assure an equal degree of safety.
- Recordkeeping and Different Required Documentation. All events to the SCCs should be capable of display their compliance with the SCCs and should hold documentation of the info processing actions for which they’re accountable. Different events to the SCCs in addition to related supervisory authorities within the EU can request compliance documentation and might be able to audit the info importer’s compliance. Different required documentation contains information breach recordkeeping, processing directions for information processors, documented assessments of recipient international locations’ legal guidelines and practices, and inside information associated to public authority requests for information disclosures. Companies ought to make sure that this documentation is precisely maintained and might be produced simply whether it is requested.
Native Legal guidelines and Obligations in Case of Entry by Public Authorities
Two clauses in Part III of the revised SCCs tackle a central subject raised in Schrems II (entry to information by public authorities). The primary requires all events to the settlement to evaluate third-country legal guidelines and to investigate the related information switch dangers. The second imposes new obligations on an information importer within the occasion of entry by a public authority.
- Third-Nation Assessments and Evaluation of Knowledge Switch Dangers. The brand new SCCs require that the native legal guidelines and practices of nations outdoors the EEA have to be assessed previous to implementation of SCCs. The evaluation have to be documented and offered to supervisory authorities upon request. Though the info importer has major duty for finishing up this evaluation, all events should warrant that “they haven’t any purpose to consider” third-country legal guidelines “stop the info importer from fulfilling its obligations” below the SCCs. The SCCs permit the events to contemplate the precise circumstances of the non-public information switch, related safeguards in place to guard the non-public information, and non-EU legal guidelines and practices related to the info switch and processing.
Importantly, events might contemplate “dependable info on the appliance of the legislation in observe,” “the existence or absence of requests in the identical sector,” and the info importer’s “related and documented sensible expertise with prior cases of requests for disclosure from public authorities, or the absence of such requests, protecting a sufficiently consultant time frame.” This implies events might subjectively analyze the importer’s danger of receiving disclosure requests – an strategy that the EDPB’s draft steering on supplemental measures expressly rejected (“it is best to … not depend on subjective elements such because the probability of public authorities’ entry to your information …”). Ought to any circumstances change the evaluation of the recipient jurisdiction such that the info importer can not adjust to the SCCs, the info importer should promptly notify the info exporter, and the info exporter should take applicable motion.
- Obligations in Case of Public Authority Entry Requests. The place an information importer receives a public authority’s request for information or in any other case “turns into conscious of” a public authority’s “direct entry” to information, the SCCs impose two obligations on the info importer. First, the importer should promptly notify the info exporter and, the place potential, the affected information topic(s). If the general public authority prohibits the importer from notifying the exporter or information topic, the importer should use its finest efforts to acquire a waiver of the prohibition.
Second, the importer should problem requests by public authorities if the importer concludes there are affordable grounds to contemplate the request illegal below “the legal guidelines of the nation of vacation spot, relevant obligations below worldwide legislation and ideas of worldwide comity.” These challenges have to be aggressive, together with appeals if potential and efforts to droop disclosure orders till a reliable judicial authority has dominated on the deserves. The importer should doc its evaluation of potential challenges to a authorities request and its efforts to problem the request. The importer should additionally present common reviews on requests acquired from public authorities.
Technical and Organizational Measures / Supplemental Measures
Knowledge exporters utilizing the SCCs should warrant that they’ve “used affordable efforts” to find out whether or not information importers can, “by means of the implementation of applicable technical and organisational measures,” fulfill their obligations below the SCCs. Protections to assist safe private information have to be in place throughout and following switch, and the suitable degree of safety might be assessed holistically as regards to the state-of-the-art, implementation prices, dangers to the person, and the character, scope, context and functions of the info processing. Further restrictions are really helpful when delicate private information is processed. In transfers between information controllers, the importing controller is assigned major duty for complying with the GDPR’s private information breach discover and recordkeeping necessities.
Annex II of the brand new SCCs requires a press release relating to the technical and organizational measures taken to make sure the safety of non-public information. Companies ought to be ready to have this info accessible and up to date commonly. The safety info could also be redacted (at the least partially) if the SCCs have to be disclosed in response to a knowledge topic request, however provided that a significant abstract of the safety measure(s) is offered as a substitute. The SCCs additionally introduce clearer information retention necessities, and retention durations have to be listed in Annex I.
The SCCs alone might not assure primarily equal safety, and a switch evaluation is at all times required. Which means corporations seemingly might want to contemplate the SCCs at the side of the EDPB’s (not-yet-final) guidance on supplementary measures to ensure an EU level of personal data protection and different related course from information safety authorities as such steering develops. As with the present SCCs, events can not modify the textual content of the brand new SCCs; nevertheless, supplementary measures should still be required to make sure that the transferred private information receives a degree of safety primarily equal to that assured throughout the EU. Drawing on GDPR Recital 109, the revised SCCs permit including “different clauses or further safeguards” so long as these don’t both contradict the SCCs or “prejudice the basic rights or freedoms of information topics.”
What About the UK?
The brand new SCCs are not valid in the United Kingdom, so an organization can not use them for transfers from the UK to the US. Knowledge exporters in the UK can proceed to make use of any present EU SCCs that had been legitimate as of December 31, 2020, and the Schrems II resolution and its evaluation necessities proceed to use in the UK. The UK’s Info Commissioner’s Workplace (ICO) plans to publish UK SCCs for cross-border information transfers, together with further steering, in 2021. Within the meantime, the ICO has published versions of the older EU SCCs on its web site, with the references up to date to replicate UK legislation.
The EC’s adequacy resolution with respect to the UK is just not but ultimate. Lately, the European Parliament asked the European Commission to modify its draft decision on UK adequacy, echoing concerns raised by the EDPB associated to the UK’s bulk information surveillance and onward switch practices in addition to sure of its worldwide data-sharing agreements. The European Parliament’s decision included a request that Member State information safety authorities droop transfers of non-public information to the UK if the adequacy resolution was carried out with out revision. Following the Brexit transition interval, which ended on December 31, 2020, the EU and the UK agreed to a delay in information switch restrictions for as much as six months. The ICO recommended that UK companies receiving private information from the EEA put different switch mechanisms in place by the top of April 2021. With the bridge interval rapidly coming to an finish later this month and no finalized adequacy resolution in place, companies ought to contemplate whether or not they should revisit their EEA-United Kingdom transfers.