*Article originally posted on IAPP.org*
The European Commission recently issued its decision approving revised standard contractual clauses for data transfers to third countries in the Official Journal. The new SCCs are a mechanism companies can use to address the restriction under Article 44 in the EU General Data Protection Regulation on the cross-border transfer of personal data to third countries. Given the timing requirements in the commission’s decision, the U.S. and other service providers located in third countries should expect EU customers will need to update their existing data transfer agreements with the new SCCs by late December 2022. Here are a few recommendations service providers should consider when implementing the new SCCs with their EU customers.
- Do: Confirm your role as a data processor, sub-processor, or controller. The new SCCs have a flexible implementation structure that includes four “modules” to cover personal data transfers from a legal entity within the EU to a legal entity in a third country. Each module corresponds to different cross-border data transfer scenarios depending on the role of the data exporter and data importer, namely:
- Module 1: EU controller to third country controller.
- Module 2: EU controller to third country processor.
- Module 3: EU processor to third country processor or sub-processor.
- Module 4: EU processor to third country controller.EU customers often assume their service provider is a processor and not a controller. In the digital age, however, service providers increasingly make decisions about the purposes or means of processing personal data and therefore may be better characterized as a controller. If a service provider is indeed acting as a controller, then Module 1 is the appropriate choice for EU customer data transfers to the service provider in a third country. As such, a service provider needs to understand their role and their EU customer’s role to identify the most appropriate module for their agreement.
- Do: Understand your personal data flows. The new SCCs impose significant obligations on data importers, including duties related to the onward transfer of personal data to subcontractors. When you are preparing an implementation of the new SCCs, you will need to provide: factual descriptions of the categories of data, the purposes of use and the like; information about technical and organizational security measures; and for Modules 2 and 3, the list of the sub-processors. You will also need to make sure that your systems and processes can meet the performance standards to address data subject access, erasure and other rights, and otherwise comply with the new SCC requirements.
- Do: Focus on updating your agreements with your subcontractors. Particularly where you are using Modules 2 or 3 as a processor or sub-processor, you should focus on updating your agreements with your subcontractors so the subcontractors are subject to appropriate protections in accordance with the new SCCs. You should consider doing this activity before turning proactively to engage with your EU customer base.
- Do: Prepare an assessment of the local laws and practices in the third country. The parties are obligated under Clause 14 of the new SCCs to conduct and document an assessment of the specific circumstances of the transfer, as well as the laws and practices of the third country of destination related to public authorities’ access to personal data. These obligations flow in large measure from the July 16, 2020, decision of the European Court of Justice that invalidated the European Commission adequacy finding on the EU-U.S. Privacy Shield Arrangement. “Schrems II” did not invalidate the prior EC decisions on standard contractual clauses (which are now being replaced by the new SCCs), but it did establish conditions to be addressed regarding third country public authority access to EU personal data. For notes about how to proceed in a post-“Schrems II” world, click here. The European Data Protection Board has now issued guidance (the final version after public consultation still expected at the time of this writing) on how companies should address “Schrems II.” Although the draft EDPB guidance is strict in certain respects about restrictions when public authorities could in theory require access to data, the good news is that footnote 12 to Clause 14 in the new SCCs suggests a little flexibility in that the parties can take account of their practical experience in dealing with prior instances (if any) of demands for disclosure from public authorities.
- D0: Proactively approach EU customers when your new SCCs implementation are prepared. Once your due diligence work is completed and your implementation of the new SCCs are prepared, you should consider proactively approaching some or all your customers with the updated version of the new SCCs. You may wish to approach this in phases, but since this is a regulatory change parties will need to address, a proactive approach may give rise to greater acceptance of your terms, and help you establish more consistent and workable terms across your EU customer arrangements.
- Don’t: Assume that an updated EU-U.S. Privacy Shield arrangement would make all the due diligence efforts with the new SCCs unnecessary. The U.S. government and the European Commission are aggressively working to reach agreement on an updated “Privacy Shield 2.0” agreement. For more information about the context for these trans-Atlantic negotiations and the path forward, click here. Privacy Shield 2.0 would offer an alternative to the new SCCs for data transfers to data importers in the U.S. However, even if a service provider later chooses to participate in such a Privacy Shield 2.0, the due diligence efforts to prepare for the implementation of the new SCCs would not have been unnecessary work. At a minimum, the same types of due diligence would still be required to address “Schrems II” and other Privacy Shield 2.0 requirements. Moreover, the service provider could find that some EU customers still prefer the new SCCs, such that the service provider may still be using the new SCCs in some instances. Service providers should therefore not await the outcome of the Privacy Shield 2.0 discussions before undertaking the due diligence related to the new SCCs.
- Don’t: Forget to carefully evaluate the third-party beneficiary rights, liability provisions and other terms in the new SCCs. The new SCCs contain extensive third-party beneficiary rights, liability provisions and other added terms. Although these provisions cannot be contradicted without potentially disrupting the legal value of the new SCCs, you may wish to consider whether insurance or other strategies could help reduce the risk associated with these expansive provisions.
- Don’t: Miss the opportunity to consider whether other solutions could be applied to address the GDPR cross-border data transfer restrictions. Beyond the new SCCs and a potential Privacy Shield 2.0, there are other options that might be available to service providers depending on the context. For example, depending on how the services are structured and how controls for data are applied, it might be possible to consider whether derogations under Article 49 of the GDPR, such as the data subject’s explicit consent, could allow the transfer. In general, data protection authorities discourage use of these types of derogations for transfers to third countries and the specifics of what is needed can be onerous, but it may help to evaluate these alternatives, particularly since transfers under these derogations should fall outside the scope of “Schrems II” limitations.
- Don’t: Wait for your EU customers to raise the issue with you. Many EU companies are still working through how to structure and approach contracting with the new SCCs. If you wait for your EU customers to present updated contract terms to you for execution, over the long run you may need to apply significant additional resources to negotiate and arrive at terms that are workable and consistent with your business model and operations.
- Don’t: Assume this area of the law is well-settled. This area of the law, particularly cross-border data transfers, is going to continue to develop rapidly. As of this writing, the privacy world is awaiting updated “Schrems II” guidance from the EDPB and is monitoring ongoing enforcement activities related to “Schrems II” by EU DPAs. Other cross-border transfer restrictions and data localization obligations continue to emerge in regions around the world. As such, it seems the only constant in the privacy world at this time is rapid change.