Standard Contractual Clauses Remediation Services
Companies operating out of the United States, but importing data from the European Union or United Kingdom, must have specific contracts in place with the data exporter – contracts which have now been updated. Advisori helps our clients navigate the complexities of these recent changes to standard contractual clauses.
What Are Standard Contractual Clauses?
Standard contractual clauses (“SCCs”) are a standard set of contractual data protection terms and conditions to which the data exporter and importer agree when transferring data outside the EEA or UK to an inadequate country.
Cross-border Data Transfers
The Case for Standard Contractual Clauses
Under Article 45 of the GDPR, personal data can only be transferred outside of the European Economic Area (“EEA”) and the United Kingdom (“UK”) to countries that the European Commission (“EC”) has deemed as having adequate data protection laws and practices. To date, the EC has approved only 13 countries as having “adequate” privacy safeguards. As an alternative, Article 46 of the GDPR does allow data transfers outside of the EEA and UK to “inadequate countries” where the data exporter applies “appropriate safeguards” to protect the data.
How This Impacts U.S. Companies
The EC considers the United States as “inadequate” due to its government surveillance laws. As such, the European Union and the U.S. government negotiated the Privacy Shield framework to facilitate commerce, wherein participating U.S. companies could self-certify under this Privacy Shield framework as an acceptable Article 46 transfer mechanism, thereby allowing them to receive personal data from the EEA.
The UK Stands Alone
Brexit further complicates cross-border data transfers from the EEA and the UK. Because of the UK’s withdrawal from the European Union on January 1, 2021, the CJEU no longer has jurisdiction over the UK and neither does the EC. Instead, the UK’s primary data protection authority is now the Information Commissioner’s Office (the “ICO”), and the “UK GDPR has now replaced the GDPR.”
In practice, this means that companies transferring data outside the EEA or the UK, or both, may now be required to use different sets of SCCs – one set approved by the EC (EU SCCs) and another approved by the ICO (UK SCCs).
The Legal Basis for Updating Standard Contractual Clauses
Many companies doing business in the EEA and the UK are scrambling to update their standard contractual clauses. This is largely the result of a well-publicized decision, issued on July 16, 2020, by the Court of Justice of the European Union (“CJEU”). Its decision in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (“Schrems II”) represents a seismic shift for those companies either relying on the EU-U.S. Privacy Shield Framework or the existing standard contractual clauses as the basis for compliance with the Article 46 transfer mechanism.
Remarkably, the CJEU invalidated the Privacy Shield in Shrems II. While the CJEU did approve the continued use of SCCs as a legal Article 46 transfer mechanism, it identified legal concerns with the existing SCCs. In Schrems II, the CJEU underscored a fundamental rule that must be followed for data transfers outside the EEA to inadequate countries: any data exporter transferring personal data outside the EEA must verify, on a case-by-case basis, whether the destination jurisdiction ensures an essentially equivalent level of data protection as EU law.
More specifically, companies relying on SCCs to transfer data outside of the EEA to “inadequate” countries must conduct a transfer risk assessment to determine whether the surveillance laws or practices in the third country may impinge on the effectiveness of the relevant transfer mechanism. If the results of this assessment reveal risk, the data exporter must apply “supplementary measures” to the cross-border data transfer sufficient to mitigate the identified risk – enough to ensure a level of protection to the data that is essentially equivalent to the level of data protection in the EU.
Not sure what the Shrems II decision means for your business?
Let Advisori be your guide.
If your company is struggling to update its existing Standard Contractual Clauses, Advisori can help. We know that finding the right resources for the job, from experienced privacy attorneys to contract managers, is a challenge. That is why we have built a specialized team to ensure our clients achieve their compliance deadline.
- We coordinate with internal stakeholders to identify and collect all necessary contracts and artifacts necessary to scope the SCC remediation project;
- We review all existing contracts and related data transfers for purposes of identifying the contracts and SCCs needing updating;
- We create a detailed project plan including deliverables and tracking schedule;
- We develop a written and comprehensive SCC remediation project playbook tailored to your business operations and size;
- We draft or revise existing contracts and update their SCCs;
- We identify and work with those in privity of contract with our clients to ensure that all contracts are updated and executed.
Talk to us about your needs and how we can help. Our team is here for you.
Businesses rely on our full-service DSAR Fulfillment Center.
If you’re looking to outsource your DSAR fulfillment processes while meeting all regulatory requirements and deadlines, turn to Advisori. Bottom line: we help our clients fulfill DSARs cheaper, faster, and better than anyone else.
Don’t wait to get started.
Reach out to our team to learn more.