European Commission issues new SCCs

Today, June 4, the European Commission announced new standard contractual clauses (SCCs). The news has been a long time coming. Ever since the Privacy Shield's invalidation, companies relying on transferring data from the EU to other jurisdictions have nervously waited to hear what kind of contractual requirements they'll face in order to transfer data across borders legally. 

Standard contractual clauses indicate the data exporter and the data importer's agreement to protect the data they're sharing. SCCs are employed when one organization is outside of European privacy law's scope to ensure that the data involved will still meet the standards outlined in the EU General Data Protection Regulation. They're also used in transfers within the EU or the European Economic Area, but the requirements differ depending on whether the data is leaving the EU. 

The Commission's new SCC documents themselves are dense. They will likely require legal counsel to interpret perfectly, but here are the areas you might want to first focus on as you consider your obligations. 

There are 'modules' now

The European Commission technically released two documents on the new SCCs. The first applies to data staying within the EU or the European Economic Area and is a standard controller-to-processor agreement. The second applies to cross-border data transfers, and it introduces "modules," which serve as categories or "buckets," as some might call them. 

Under the former SCCs, there were only two relationships that could exist: controller-to-controller and controller-to-processor. But the Commission recognized some data flows are more complicated, so under the new SCCs, relationships between parties will fit into one of four modules, they are: 

• Controller-to-controller.
• Controller-to-processor.
• Processor-to-processor.
• Processor-to-controller.
  

The added modules aim to give companies more flexibility. Controller-to-processor clauses are relatively straightforward. But where things sometimes get complicated is, for example, when a processor needs to transfer data to a sub-processor. Now there are rules on how to do that without breaking the law. 

Post-Schrems requirements on government access requests

In the new SCCs, the European Commission adds some requirements to cross-border transfers in light of the Schrems II decision. In that case, the Court of Justice of the European Union shuttered the Privacy Shield agreement between the EU and the U.S., in part because the EU had concerns about U.S. government access to data. 

In the revised SCCs, there are specific requirements on how to deal with government access requests. 

The rules on "Local Laws and Obligations in case of Access by Public Authorities" apply to all four modules (controller-to-controller, controller-to-processor, processor-to-processor, processor-to-controller). They outline what the controllers and processors (data exporters and data importers) must consider when assessing whether the data importer can comply with the contract on the table. The Commission calls for a risk-based approach that considers a multitude of factors. 

Specifically, parties must examine:

• The number of actors involved in the transfer.
• The economic sector involved.
• The type of recipient.
• The storage location of the data transferred.
  
  

Parties must also document any "supplemental" provisions they've put in place to ensure the data importer will safeguard the data. In addition, the data exporter has to consider the laws and practices of the destination country, the Commission says. Exporters must document their assessment of the third country, but the data importer also has to notify the data exporter if laws in their country change. As in, "Hey, company with whom I have a contract. Our home country just passed a law that the police can access any data we store at any time." In that case, the data exporter must indicate any supplemental measures it imposed to remedy the shortcomings introduced by the third country's new law. That is, anything that makes the third country's governing law weaker than the GDPR. 

Suppose no measures can be taken to remedy the problem. In that case, the data exporter is to suspend the data transfer and "shall be entitled to eliminate the contract, insofar as it concerns the processing of personal data under these clauses," the Commission says. Any of the data exporters' past experiences with the third country is relevant in its evaluation. In other words, if you're transferring data to the U.S., you could say, "I have transferred data to the U.S. before and have no reason to be concerned that the U.S. government is going get a warrant and come after this data." And that would be relevant documentation in your risk-based approach.  

But perhaps more eyebrow-raising is the provision that calls for companies to challenge government requests to access data. The Commission says that data importers must agree to "review the legality of the request for disclosure" from public authorities. They're advised to "challenge the request if, after careful assessment, it concludes there are reasonable grounds to consider that the request is unlawful under the laws of the country destination." 

It's a pretty bold command, and it speaks directly to U.S. government agencies' past records tapping major tech companies for data using U.S. laws that allow them to collect metadata to aid in their crime-fighting missions. While it's a very small percentage of companies who've received these kinds of commands, it's a very big concern for the EU. 

What's the deadline to comply?

Current data-transfer contracts can remain in place for 18 months. But any new data transfers can still rely on the old version of SCCs for another three months.

For more information about the new SCCs, see the European Commission's post. For now, it's essential to review your existing SCCs to determine whether changes are required within the next 18 months and to be sure any new contracts adhere to the new rules. Otherwise, they're only valid for another three months.