January 27, 2021

Volume XI, Number 27

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

EU Seeking Comment on Revisions to Standard Contractual Clauses

One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)

Given these concerns, it has long been anticipated that the EU Commission would revisit and revise the clauses. It has done so, and is seeking comment on modifications to the clauses. Unlike the current SCCs, of which there are a few (including for transfers between two controllers, and transfers from controllers to processors), the new version has a variety of different provisions that the parties can select based on their respective roles (controller, processor).  The updated clauses also take into account GDPR-required content, like data minimization and security. They also contemplate more thoroughly “onward transfers” of information, and allow for more parties to be signatories than under the current scheme.

Interested parties have until 10 December 2020 to comment on the draft.  It is anticipated that a vote will be made on the clauses by the EU early next year, and they will be adopted shortly thereafter. There would then be a one-year grace period to allow companies to switch over from the current set of clauses to the new ones. The caveat, though, is that companies must use “necessary supplemental measures” to ensure that data is adequately protected. The EU is also seeking comment on controller-processor standard clauses to address general GDPR requirements (in Data Protection Agreements) when data is not being transferred out of the EU.

Putting it Into Practice: Until the new clauses are implemented, companies transferring data between the EU and the US will need to rely on current measures, which include the current set of SCCs, and keep in mind the EDPB’s cautions around “supplementary measures” needed for protecting outbound data. While there is time before any new clauses come into effect, in anticipation of the new clauses, we expect EU companies transferring data will likely be auditing and mapping the data they transfer.

 

Advertisement
Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 335
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement