5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: April 11, 2023
Published: June 4, 2021
Today, June 4, the European Commission announced new standard contractual clauses (SCCs). The news has been a long time coming. Ever since the Privacy Shield's invalidation, companies relying on transferring data from the EU to other jurisdictions have nervously waited to hear what kind of contractual requirements they'll face in order to transfer data across borders legally.
Standard contractual clauses indicate the data exporter and the data importer's agreement to protect the data they're sharing. SCCs are employed when one organization is outside of European privacy law's scope to ensure that the data involved will still meet the standards outlined in the EU General Data Protection Regulation. They're also used in transfers within the EU or the European Economic Area, but the requirements differ depending on whether the data is leaving the EU.
The Commission's new SCC documents themselves are dense. They will likely require legal counsel to interpret perfectly, but here are the areas you might want to first focus on as you consider your obligations.
The European Commission technically released two documents on the new SCCs. The first applies to data staying within the EU or the European Economic Area and is a standard controller-to-processor agreement. The second applies to cross-border data transfers, and it introduces "modules," which serve as categories or "buckets," as some might call them.
Under the former SCCs, there were only two relationships that could exist: controller-to-controller and controller-to-processor. But the Commission recognized some data flows are more complicated, so under the new SCCs, relationships between parties will fit into one of four modules, they are:
The added modules aim to give companies more flexibility. Controller-to-processor clauses are relatively straightforward. But where things sometimes get complicated is, for example, when a processor needs to transfer data to a sub-processor. Now there are rules on how to do that without breaking the law.
In the new SCCs, the European Commission adds some requirements to cross-border transfers in light of the Schrems II decision. In that case, the Court of Justice of the European Union shuttered the Privacy Shield agreement between the EU and the U.S., in part because the EU had concerns about U.S. government access to data.
In the revised SCCs, there are specific requirements on how to deal with government access requests.
The rules on "Local Laws and Obligations in case of Access by Public Authorities" apply to all four modules (controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller). They outline what the controllers and processors (data exporters and data importers) must consider when assessing whether the data importer can comply with the contract on the table. The Commission calls for a risk-based approach that considers a multitude of factors.
Specifically, parties must examine:
Parties must also document any "supplemental" provisions they've put in place to ensure the data importer will safeguard the data. In addition, the data exporter has to consider the laws and practices of the destination country, the Commission says. Exporters must document their assessment of the third country, but the data importer also has to notify the data exporter if laws in their country change. As in, "Hey, company with whom I have a contract. Our home country just passed a law that the police can access any data we store at any time." In that case, the data exporter must indicate any supplemental measures it imposed to remedy the shortcomings introduced by the third country's new law. That is, anything that makes the third country's governing law weaker than the GDPR.
Suppose no measures can be taken to remedy the problem. In that case, the data exporter is to suspend the data transfer and "shall be entitled to eliminate the contract, insofar as it concerns the processing of personal data under these clauses," the Commission says. Any of the data exporters' past experiences with the third country is relevant in its evaluation. In other words, if you're transferring data to the U.S., you could say, "I have transferred data to the U.S. before and have no reason to be concerned that the U.S. government is going get a warrant and come after this data." And that would be relevant documentation in your risk-based approach.
But perhaps more eyebrow-raising is the provision that calls for companies to challenge government requests to access data. The Commission says that data importers must agree to "review the legality of the request for disclosure" from public authorities. They're advised to "challenge the request if, after careful assessment, it concludes there are reasonable grounds to consider that the request is unlawful under the laws of the country destination."
It's a pretty bold command, and it speaks directly to U.S. government agencies' past records tapping major tech companies for data using U.S. laws that allow them to collect metadata to aid in their crime-fighting missions. While it's a very small percentage of companies who've received these kinds of commands, it's a very big concern for the EU.
What's the deadline to comply?
Current data-transfer contracts can remain in place for 18 months. But any new data transfers can still rely on the old version of SCCs for another three months.
For more information about the new SCCs, see the European Commission's post. For now, it's essential to review your existing SCCs to determine whether changes are required within the next 18 months and to be sure any new contracts adhere to the new rules. Otherwise, they're only valid for another three months.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.