September 21, 2021

Volume XI, Number 264


September 20, 2021

Subscribe to Latest Legal News and Analysis

European Commission Approves New Standard Contractual Clauses for Transfer of European Personal Data

Earlier today, the European Commission approved and adopted a new version of the Standard Contractual Clauses (SCCs) that revises how data may be transferred by including additional privacy and legal safeguards. The remodeled approach is designed to provide companies with a means to more securely transfer data out of the European Economic Area (EEA). Companies worldwide have been looking forward to the new SCCs as thousands of businesses rely upon the SCCs for their daily operations, such as by cloud providers or internal processes including human resources.

In July 2020, the European Court of Justice (ECJ) stated that data transfers outside of the European Union (EU) relying upon the SCCs are prohibited if the exporter was not able to ensure an adequate level of data protection. This has put a burden on countless companies to reexamine their operations, as the consequences for violations under the European General Data Protection Regulation (GDPR)—which include fines of up to €20 million ($24.1 million) or four percent of annual global turnover (whichever is higher)—can be devastating for any company.

As a result, any company seeking to import data into the U.S. that wishes to rely upon the existing SCCs would have to review its existing protocols to ensure whether its current levels of protection are adequate and, if not, implement additional protocols designed to provide an adequate level of data protection. This could be an expensive and challenging effort to undertake for a number of businesses.

For many companies, the new SCCs will be a welcome sigh of relief with respect to the transfer of personal data. Just like the old SCCs, so long as they remain unmodified, the pre-approved standard approach taken in the new SCCs give companies a straightforward means to implement a legal basis for the protection and transfer of personal data. When utilizing the new SCCs, companies should take comfort in knowing that they are complying with the requirements set forth under the GDPR and have addressed the concerns raised under Schrems II.

Notwithstanding the actions by a company to adequately protect the data transfers, as noted, the ECJ stated that the data protection authorities would be able to suspend or prohibit data transfers, which puts many companies in a bind as they recognize that it might not be possible to adequately protect data in light of the laws of the U.S.

Thus, while the new SCCs is a welcome sigh of relief for many, it may only be temporary in the U.S. unless the U.S. addresses the EU’s concerns. Despite the comfort anticipated by the new SCCs, companies will still be required to evaluate data transfers on a case-by-case basis and may need to supplement the SCCs with additional security protocols based upon the nature and sensitivity of the data transferred.

What are the SCCs?

For those who are unfamiliar, the SCCs govern the transfer of data from the EEA to third countries that have not been deemed by the European Commission to provide “adequate” protections for data subjects’ rights and freedoms. While other alternative transfer mechanisms, such as Binding Corporate Rules and other derogations permitted under the GDPR, the SCCs have emerged as one of the predominant transfer mechanisms used by companies, especially in the aftermath of the Schrems II case last summer, where the ECJ struck down the EU-U.S. Privacy Shield Framework as an acceptable transfer mechanism.

Some Highlights

Companies will have approximately 18 months to replace all existing SCCs governing data transfers, which is likely a hefty administrative and operational task for many organizations.

The new SCCs takes a modular approach to data transfers. Specifically, they allow for not only controller-to-controller transfers and controller-to-processor transfers, but they also allow for processor-processor transfers and processor-controller transfers. This will enable companies greater flexibility in adapting the new SCCs for various data transfer scenarios.

The new SCCs also address concerns raised by the Schrems II case and set forth requirements of data importers related to government data access requests and requirements of data exporters to ensure adequate level protection of data for transferred data.

Next Steps

Due to the fact that the existing versions of the SCCs may only be used for another three months, companies that have relied upon the SCCs as a transfer mechanism should begin their process now of evaluating the requirements outlined in the new SCCs alongside their own internal protocols and those of any third party involved in the processing of personal data.

Companies will need to amend or replace all vendor agreements to comply with the new SCCs in addition to replacing all intra-affiliate agreements to the extent personal data is transferred between them. Companies should also develop a plan for implementing additional privacy and security protocols and controls that are consistent with the requirements of the new SCCs, including how law enforcement access requests will be granted and how transfer impact assessments will be conducted.

Ultimately, companies will need to replace their existing SCCs with the new SCCs as well as update their internal privacy and security program as required by the new SCCs within the next 18 months to avoid potential violations of the GDPR. For a number of organizations, this could be a substantial undertaking and will take significant time and effort to complete, as companies will need to determine what additional measures are required in the context of their business operations to practically comply with the new SCCs.

© 2021 Foley & Lardner LLPNational Law Review, Volume XI, Number 155

About this Author

Aaron K. Tantleff, Foley Lardner, E-Commerce lawyer, IP Attorney, Patents

Aaron K. Tantleff is a partner and intellectual property lawyer with Foley & Lardner LLP. His practice focuses upon providing legal and strategic guidance regarding information technology, outsourcing, licensing, consulting, professional services, e-commerce, manufacturing, supply, and distribution agreements, as well as product acquisitions, strategic alliances, mergers and acquisitions, and private equity investments where technology and intellectual property are of significant importance and value. Mr. Tantleff is a member of the firm’s Technology...

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Catherine Zhu Privacy Lawyer Foley and Lardner Law Firm
Special Counsel

Catherine Zhu is special counsel and a seasoned business, commercial and privacy lawyer with Foley & Lardner LLP, based in the Bay Area. Catherine focuses her practice on complex commercial agreements, licensing transactions, data sharing transactions, revenue growth, business expansion, legal process optimization, and data privacy, where she helps her clients define and implement data privacy strategies within a complex regulatory environment. Her practice also includes advising in venture capital, private equity and strategic acquisition transactions regarding data privacy and...