On June 4, 2021, the European Commission (EC) adopted a revised version of the Standard Contractual Clauses (SCCs). SCCs are important template agreements that allow entities to transfer data outside of the European Economic Area (EEA) to third countries (such as the United States) that have not received a formal adequacy decision from the EC.
The revisions carry a great deal of significance following the Court of Justice of the European Union’s (CJEU) Schrems II ruling, which invalidated the Privacy Shield agreement. The CJEU found that, in light of U.S. surveillance laws, the Privacy Shield did not provide an adequate level of protection for the data for EU persons. As we’ve previously written, data agreements like Safe Harbor and Privacy Shield provided much-needed legal certainty to small and medium-sized enterprises (SMEs), like our members, who comprised 70 percent of the companies using Privacy Shield. The decision left SCCs as the only remaining mechanism to effectuate EU-U.S. data transfers.
Data importers and exporters can begin using the new SCCs on June 27, 2021, though they may continue to use the previous SCCs for new data transfer agreements until September 27, 2021. Existing transfers that do not undergo a material processing change can rely on the previous SCCs until December 27, 2022, after which they must be renegotiated using the new SCCs. Follow along as we highlight key features of the new SCCs.
The Good
Upfront, it bears mentioning that the SCCs, even ignoring the outcome of Schrems II, badly required an update. Before the Commission’s new revisions, it had not updated the SCCs since 2010, well before the advent of the General Data Protection Regulation (GDPR) and several revolutions ago in the digital economy. As a result, the previous set of SCCs did not contemplate certain now common modes of data transfer, such as processor to processor data transfers. The revised SCCs rectify this by introducing two new “modules” that recognize and provide specific language for processor to sub-processor and processor-to-controller data transfers, on top of the existing controller-to-processor and controller-to-controller language. This is a welcome development, as many developers may operate concurrently as processors, sub-processors, or controllers depending on the specific project or business opportunity. Previously, developers did not enjoy coverage for all their modalities under the SCCs. A new docking clause, which allows a new party to quickly accede to an existing SCC agreement between entities, is also a helpful and complexity-reducing mechanism.
Furthermore, the new SCCs introduce much-needed flexibility for data exporters who have reason to believe that the data importer can no longer fulfill its obligations. As Clause 14(f) of the Annex to the Implementing Decision outlines, data exporters who receive notification from the data importer or otherwise have reason to believe that the importer can no longer fulfill its obligations under the clauses, can continue to transfer personal data so long as they work with the data importer to implement supplementary measures that allow the importer to regain its ability to satisfy the contract. Previously, data exporters who received notification that the importer could not comply with the contract were compelled to immediately suspend or terminate the data transfer outright. This change realistically reflects the dynamic nature of international data transfers, recognizing that a data importer may temporarily be unable to meet its SCC obligations for reasons out of its control (e.g., changes in national surveillance law). In such cases, the importer ought to be permitted time to recalibrate its approach or compensate for the changes.
The Bad
Unfortunately, the new SCCs introduce additional burdens in numerous other areas of which developers should be aware. As a result of Schrems II, it was clear that, at a minimum, the new SCCs would need to include “transfer impact assessments” to withstand future scrutiny at the CJEU. Less clear was what exactly those assessments would include. As we noted in our official comments on the draft SCCs, one particularly burdensome requirement is the obligation that data importers review the legality of any government request for the disclosure of personal data transferred pursuant to a SCC under the laws of the importing country, “exhausting available possibilities of appeal” if it concludes “that there are reasonable grounds to consider that the request is unlawful under the laws of the third country.” For small app developers that do not have an existing and robust legal department already well-versed in challenge requests, this essentially means that any government access request that covers data pursuant to an SCC would spell the end of that SCC.
Furthermore, the new SCCs will require a substantially heightened level of record-keeping compared to the previous SCCs. For example, the EC seemingly grants new flexibility by blessing a risk-based approach to allow data importers to rely on “practical experience” as they make the required assessment of their local laws to determine the legality and risk of government access of a given transfer. However, as newly finalized European Data Protection Board (EDPB) guidance states, companies will need to extensively document and prepare a legal assessment to explain why any “problematic legislation” in the importing country will not be applied in practice to the transferred data, while also taking into account the experience of other actors operating within the same sector. Adverse implementation of this guidance could even create a scenario where even those entities that take on the substantial burdens outlined in the revised SCCs and EDPB guidance could have their data transfers rejected by data protection authorities, undermining one of the key potential benefits of this rulemaking.
Additionally, while the new modular approach successfully addresses a gap in the current SCCs, it also introduces a new source of compliance rigidity for businesses, who must now identify, track, and assess how each of their data transfers matches up to each module. This evaluation will again require an extensive legal evaluation by both parties, especially in the cases of dynamic data transferring partners, whose roles may change on a daily, potentially even hourly, basis.
Another issue relates to the territorial scope of the SCCs, which aim to cover data transfers in which the importer is not already subject to GDPR. However, the situation turns complicated when the data importer is not based in the EU but is still subject to GDPR under Article 3(2) because it already processes the information of data subjects located in the EU. In that case, Article I of the Implementing Decision seems to imply that SCCs are not a permissible transfer mechanism. Additional guidance may be required to provide clarity on what, if any, additional transferring mechanism is permitted or required in such a case.
The Future
Though the revised SCCs restore a measure of clarity to certain classes of data partnership, they remain unsatisfactory as the only data transfer mechanism for SMEs based in either the EEA or the United States. Even apart from the new burdens the SCCs create, ambiguities abound and, as noted, implementation of EDPB guidance on the topic could either clarify or complicate the situation even further. On the positive side, the Biden Administration seems to recognize the difficulties created by Schrems II and is reportedly seeking to solidify a high-level agreement with EC leadership to pave the way for a new transatlantic data transfer framework similar to Privacy Shield. At the App Association, we’ll continue to let policymakers know that the status quo can’t hold and will keep you updated as the rulemaking process evolves on both sides of the Atlantic.