The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.

Overview of situation.  Company A in the EEA retains Company Z-1 in the US to process personal data.  Company Z-1 intends to transmit the personal data to corporate affiliates in other countries throughout the world that are also not considered to have adequate data protection laws (i.e., Company Z-2 and Company Z-3).  There are two main strategies for how the transfer could be structured.

Option 1

Visual

Summary

• 1st Transfer: SCC Module 2. The initial cross-border transfer from EEA to the United States could utilize the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).

• 2nd and 3rd Transfers: SCC Module 3. Pursuant to Section 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). While these could take the form of two separate documents, they might also take the form of a single intragroup agreement that incorporates the SCC Module 3 (Second SCCs).

• U.S. Transfer Impact Assessment. Section 14 of the First SCC requires Company A and Company Z-1 to document a transfer impact assessment of the laws of the United States to determine whether either party has reason to believe that U.S. laws and practices prevent Company Z-1 from fulfilling its obligations under the SCCs.

• Other Transfer Impact Assessments. Section 14 of the Second SCCs require Companies Z-1, Z-2, and Z-3 to create a transfer impact assessment of the laws in which Companies Z-2 and Z-3 operate. It is unclear whether Company A must participate in this process.

• Law enforcement request policy. Section 15 of the SCCs require the data importers (Companies Z-1, Z-2, and Z-3) to take specific steps in the event that they receive a request from a public authority for access to personal data.

Option 2

Visual

Summary

• 1st, 2nd, and 3rd Transfer: SCC Module 2.  The parties could enter into a single SCC Module 2 designed for transfers from a controller to a non-EEA processor, which would list Company Z-1, Company Z-2, and Company Z-3 each as separate data importers (First SCC).

• Transfer Impact Assessments.  Section 14 of the First SCC would require Company A to document a transfer impact assessment with each of the data importers (Company Z-1, Z-2, and Z-3) with regard to their respective countries to determine whether Company A, or whether each of the respective importers, has a reason to believe that the laws of their respective jurisdictions would prevent them from fulfilling their obligations under the First SCC.

• Law enforcement request policy.  Section 15 of the First SCC requires the data importers (Companies Z-1, Z-2, and Z-3) to take specific steps in the event that they receive a request from a public authority for access to personal data.