Companies operating out of the United States, but importing data from the European Union or United Kingdom, must have specific contracts in place with the data exporter – contracts which have now been updated. Advisori helps our clients navigate the complexities of these recent changes to standard contractual clauses.
Standard contractual clauses (“SCCs”) are a standard set of contractual data protection terms and conditions to which the data exporter and importer agree when transferring data outside the EEA or UK to an inadequate country.
The Case for Standard Contractual Clauses
Under Article 45 of the GDPR, personal data can only be transferred outside of the European Economic Area (“EEA”) and the United Kingdom (“UK”) to countries that the European Commission (“EC”) has deemed as having adequate data protection laws and practices. To date, the EC has approved only 13 countries as having “adequate” privacy safeguards. As an alternative, Article 46 of the GDPR does allow data transfers outside of the EEA and UK to “inadequate countries” where the data exporter applies “appropriate safeguards” to protect the data.
How This Impacts U.S. Companies
The EC considers the United States as “inadequate” due to its government surveillance laws. As such, the European Union and the U.S. government negotiated the Privacy Shield framework to facilitate commerce, wherein participating U.S. companies could self-certify under this Privacy Shield framework as an acceptable Article 46 transfer mechanism, thereby allowing them to receive personal data from the EEA.
Many companies doing business in the EEA and the UK are scrambling to update their standard contractual clauses. This is largely the result of a well-publicized decision, issued on July 16, 2020, by the Court of Justice of the European Union (“CJEU”). Its decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”) represents a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with the Article 46 transfer mechanism.
Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. In Schrems II, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries: any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law.
More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk – enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.
Not sure what the Shrems II decision means for your business?
Brexit further complicates cross-border data transfers from the EEA and the UK. Because of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection authority is now the Information Commissioner's Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.”
In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs).
If your company is struggling to update its existing Standard Contractual Clauses, Advisori can help. We know that finding the right resources for the job, from experienced privacy attorneys to contract managers, is a challenge. That is why we have built a specialized team to ensure our clients achieve their compliance deadline.
Talk to us about your needs and how we can help. Our team is here for you.
If you’re looking to outsource your DSAR fulfillment processes while meeting all regulatory requirements and deadlines, turn to Advisori. Bottom line: we help our clients fulfill DSARs cheaper, faster, and better than anyone else.
Reach out to our team to learn more.
1640 Boro Place, 4th Floor
McLean, Virginia 22102
18 Soho Square
London, W1D 3QL.
+44 20 8138 9983
Copyright 2023 Advisori.com