Still reeling from the sudden impact of the unexpected Schrems II decision last year, companies that handle European Union citizen data may soon see some relief from an update to the EU’s standard format for data transfer agreements. The European Commission has approved an updated version of the Standard Contractual Clauses (SCCs) often used to govern these data sharing arrangements, bringing them in line with General Data Protection Regulation (GDPR) requirements for data controllers and processors as seen through the lens of the Schrems decision.
There are a number of significant changes, but the one most central to the Schrems case is a set of due diligence and disclosure requirements for EU personal data that is sent to foreign countries. These are accompanied by new mandatory mitigation measures to limit the risk of this information drifting into the hands of government and intelligence agencies.
Significant update to SCCs changes international data handling requirements
SCCs are being relied upon as a legal bedrock on which to conduct EU-US data transfers. While the previous SCC structure remained legally viable, each individual contract has become subject to a stringent review by data protection authorities. Many organizations speculated that these contracts would not hold up in light of the Schrems effect on the terms of data transfer agreements.
The new model contract clauses are meant to ensure GDPR compliance without the need to retool existing SCCs and have them combed over by regulators. This data transfer mechanism is meant for EU organizations and their data transfer partners in non-European Economic Area (EEA) countries that do not have “trusted partner” status (those that have received an “adequacy decision,” a list of only about a dozen at this time). Schrems II sent a shockwave through the world as it unexpectedly took the US off the “trusted partner” list, on the basis of assumed free access to EU citizen data by that country’s government.
Data transfer agreements can be revised to use these new SCCs beginning in late September. Organizations with existing SCCs in the old format will be given an 18 month grace period to retool them (until December 2022). However, organizations using the old SCCs do not gain any special privileges from this in terms of current compliance requirements; they are still expected to perform a risk assessment as regards the exposure of EU citizen personal information to foreign governments and adopt any necessary mitigation measures, and the old SCCs are also still subject to review by a data protection authority.
Terms of the new data transfer agreements
One of the biggest changes to the structure of the SCCs is that rules have been added for data flow from processors to controllers; previously, the standard format only addressed transfers originating from a controller to another controller or a processor. These terms make it easier for certain industries (most notably the pharmaceutical industry) to get valid data transfer agreements in place with partners in non-EEA countries.
The wording of the new SCCs is also more clear. A nagging issue in achieving GDPR compliance for many companies has been the simple fact that the law is sometimes written in a vague or confusing way. The new SCCs are written in a way meant to simplify and make clear obligations for foreign data partners that may not routinely deal with the GDPR, particularly those in the US.
Of course, many of the changes directly address the Schrems II decision. The new SCCs require a variety of due diligence actions and disclosures meant to provide assurances against unauthorized government access. Data transfer agreements must not only consider the letter of the law in the non-EEA country in crafting these measures, but also consider “practical experience.” This provides some assistance to organizations that have no reasonable expectation of government authorities demanding access to EU citizen data from them; records of prior instances of such requests (or a lack thereof) are thus now expected to be a factor in determining the validity of SCCs.
Finally, the new SCCs implement a “modular” contract system that can be adapted to different circumstances rather than a rigid template.
Though these changes look to at least somewhat ease the current burden of cross-Atlantic data transfer agreements, some organizations are undoubtedly still wondering what adequate SCCs will look like in terms of measures that put EU citizen data beyond US government reach. European Commission Justice Commissioner Didier Reynders told reporters that sufficiently strong encryption of the data could satisfy the codes of conduct, or processing data in such a way that it cannot be connected to an individual (pseudonymization).
There was some speculation that the Commission might opt to kick the can down the road, implementing some sort of new data transfer agreements that would inevitably be challenged in court again (a process that has generally taken some years to play out). However, Reynders specifically said that the purpose of the new SCCs was to avoid a “Schrems III.”