Published on July 5, 2022
As summer begins, many companies doing business in the European Economic Area (“EEA”) and the United Kingdom (“UK”) are scrambling to update their Standard Contractual Clauses (“SCCs”). This is the result of the Court of Justice of the European Union's (“CJEU”) decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”), issued on July 16, 2020. The Court’s ruling was a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with Article 46 of the General Data Protection Regulation ("GDPR"). Pursuant to Article 45 of the GDPR, personal data can only be transferred outside of the EEA to countries that the European Commission ("EC") has deemed to have adequate data protection laws and practices. Only 13 countries have been approved by the European Commission as having "adequate" privacy safeguards. The European Commission, for example, regards the United States as "inadequate" due to its government surveillance laws.
Article 46 of the GDPR, on the other hand, allows data transfers outside of the EEA to "inadequate countries" if the data exporter uses "appropriate safeguards" to protect the data. For example, the European Union and the United States government negotiated the Privacy Shield framework to facilitate commerce, in which participating U.S. companies could self-certify as an acceptable Article 46 transfer mechanism, allowing them to receive personal data from the EEA. Another option, SCCs, are the most commonly used Article 46 transfer mechanism. SCCs are a standard set of contractual data protection services terms and conditions that data exporters and importers agree to when transferring data outside the EEA to an "inadequate" country.
Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. Moreover, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries - any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law. More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer privacy risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk - enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.
Brexit further complicates cross-border data transfers from the EEA and the UK. As a result of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection services authority is now the Information Commissioner's Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.” In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs). This article focuses on the EU SCCs.
On November 10, 2020, the European Data Protection Board (EDPB) released its Draft Guidance on International Personal Data Transfers (the “Guidance”) to assist data exporters with their required data transfer privacy risk assessments. The EDPB set forth a six-step program for doing so as follows:
First: the EDPB recommends that the data exporter “know your transfer.” Most critical, a data exporter must fully understand where its EEA personal data is flowing. This is often best accomplished by data mapping and the development of an accurate and comprehensive Article 30 GDPR Report.
Second: the data exporter must understand and re-evaluate any Article 46 transfer tools in use (e.g., SCCs, BCRs, etc.). Most critical, are these existing transfer tools providing your data subjects with the same level of data protection as EU law requires?
Third: the data exporter must assess whether its Article 46 transfer tool(s) is undermined, in any way, by the laws existing in the destination country. For example, do the laws of the destination country allow its government to seek personal data without permission or even knowledge of the data exporter?
Fourth: the data exporter must adopt “supplemental measures” to mitigate the risk identified in step three. Supplemental measures may come in the form of contractual, technical or organizational protections necessary to ensure that the transferred personal data maintains the same level of protection it has in the EEA.
Fifth: the data protection exporter must take all “formal procedural steps” necessary to ensure the adoption and use of any supplemental measures. For instance, a data exporter may add additional contractual clauses to the SCCs to enhance their contractual safeguards for the data transfer.
The sixth and final step: is continued re-evaluation by the data exporter, with the assistance of the data importer, of the steps identified above.
If your company is struggling with where to start, please take our free Standard Contractual Clauses Assessment. You can also learn more about SCCs on our most recent blog or schedule a meeting with us here.