What’s happened?

The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course.

Companies will only be able to enter into new agreements containing the old SCCs until 26 September 2021, and all contracts using the old SCCs concluded before then will need the new SSCs incorporated by 27 December 2022.  Companies therefore need to decide when, and how, they will roll out the new SCCs.

When they do, companies may want to play close attention to the European Data Protection Board’s (“EDPB”) final guidance on supplementary measures that can be combined with the SCCs (and other transfer mechanisms) to ensure “essential equivalence” where laws in the receiving jurisdiction might impinge on the protections the SCCs give.

What do you need to do?

As a quick reminder, the developments in large part flow from last year’s Schrems II decision by the Court of Justice of the European Union. Schrems II invalidated Privacy Shield. As we wrote at the time (see our blog posts here and here), the rationale of Schrems II threatened to also undermine other existing transfer mechanisms such as the SCCs. The world has therefore been waiting for updates to the SCCs to address those challenges.

Post-Schrems II, a one-size-fits-all approach to cross-border transfers poses significant enforcement risk and – looking ahead – may be a catalyst for private litigation.  To help minimize those risks, companies should consider the following steps now that the new SCCs have been issued.

  1. Secure adequate resources. Many organizations, but particularly data processors providing services across borders (who are likely to be party to a large number of agreements using the old SCCs), will need to devote significant additional resources to be able to review and revise pre-existing agreements incorporating the SCCs.  Administering and maintaining the SCCs will also be more burdensome on an ongoing basis, given increased focus on data processing supply chain accountability and the need to keep data transfer impact assessments (“DTIAs”) up-to-date.
  2. Map cross-border data transfers. The EDPB recommends that companies map all cross-border data transfers as a starting point.  Many companies will have already done this, at least in part, for their records of data processing.  Those mapping exercises may need to be updated, though, to address certain key issues:

First, to ensure all cross-border transfers are captured.  The EDPB guidance stresses that remote access to data from outside the EU is a cross-border transfer even if the data remains hosted in the EU.  Companies should therefore confirm that remote access transfers are captured accurately.

Second, to capture onward data transfers to (or within) third countries by data importers.  The new SCCs explicitly state that companies must take into account onward transfers when conducting the mandatory DTIA.  Having an accurate understanding of where data goes after a company has transferred it to the data importer is therefore key.  This would be relevant, for example, to a U.S. parent company which receives EU personal data from a European subsidiary using the SCCs and needs to make an onward transfer to a third party vendor in the U.S..

Third, to ensure that existing controller/processor/joint-controller designations remain accurate.  The previous lack of processor-processor SCCs may have led some companies to designate themselves (or the recipient) as a data controller so they could use the old SCCs to make transfers to third countries.  The new SCCs introduce processor to processor (and processor to controller) SCCs.  Companies will want to be sure they are putting the right clauses in place when renewing agreements.

  1. Review transfers. Heightened compliance requirements coupled with increased regulatory and legal risk, may mean some companies choose to limit their cross-border transfers.  Companies should review their current cross-border transfers and determine whether any transfers to third countries can be avoided entirely or the volume of data transferred reduced.  To use the SCCs, companies will need to conduct DTIAs.  Reducing the number of transfers and volume of data transferred will streamline that (ongoing) process.  It will also help companies ensure that they meet their data minimization obligation.
  2. Conduct DTIAs. The new SCCs require companies to perform a DTIA to determine whether law and practice in the receiving jurisdiction would prevent the data importer from meeting its obligations under the SCCs (Clause 14).  Following Clause 14’s plain wording and the EDPB guidance, there is greater scope for subjective considerations than originally envisaged.  According to the EDPB guidance, the assessment should be made “in the context of your specific transfer” and therefore can take into account the fact that, in some cases, there may be “no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer”.  DTIAs will need to be documented, and reviewed periodically and/or when laws and practices change in the receiving jurisdiction.
  3. Assess and implement supplementary measures as necessary. Where the DTIA reveals that local laws and practice might impinge on the protections given by the SCCs, companies will need to determine whether supplementary measures can be put in place to ensure personal data is adequately protected.  These can be a combination of organizational, contractual and technical measures and companies may find it helpful to consider what may be appropriate against the EDPB guidance.

Again, this will be a dynamic process.  The EDPB guidance stresses that what is currently sufficient to safeguard data might not be in the future.  For example, encryption might prevent foreign governments accessing personal data now, might not in the future as quantum computing or other technical developments occur that could call into question the durability of the encryption.

In many cases though, supplementary technical measures may overlap with the controls many companies are increasingly trying to impose on vendors to help guard against the increasing threat of supply chain attacks.  This is also reflected by the fact that the new SCCs’ security measures section requires controller-processor agreements to list the specific data security measures implemented by the processor and its sub-processors.

When deciding when to start this process, it is important to keep in mind that despite the new SCCs only having to be used from 27 September 2021 onwards, and agreements in place by that date able to contain the old SCCs until 27 December 2022, transfers under the old SCCs without any supplementary measures may draw regulatory scrutiny.  Data protection authorities across the EU have already commenced enforcement action against companies using the old SCCs, including those using well-known vendors Cloudflare and MailChimp.  That scrutiny looks only set to continue.

For the time being, the new SCCs cannot be used for transfers to third countries from the UK as they have not been approved as a valid cross-border transfer mechanism by the UK government, adding to the complexity of the issues outlined above where transfers are taking place from both the EU and the UK. Revised UK SCCs are expected later this year.

***

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Robert Maddox is an associate based in the London office and a member of Debevoise's White Collar & Regulatory Defense and International Dispute Resolution Groups, as well as the firm’s Data Strategy & Security practice. His practice focuses on complex multi-jurisdictional investigations, disputes and cybersecurity matters. He can be reached at rmaddox@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.