EU data exporters get SCC model contracts after annulment of US-EU Privacy Shield

12 Nov 2020 6:00 pm by Matthew Newman

EU US Privacy Shield

EU-based data exporters began reviewing today updated model contracts for international data transfers — known as Standard Contractual Clauses or SCCs — a vital tool for transferring personal data that companies have relied on after an EU court annulled the EU-US Privacy Shield that was used by more than 5,300 companies.

The current SCCs, approved in 2001 and updated in 2010, cover only limited ways of transferring data, such as from an EU controller and a non-EU controller and transfers between an EU controller and a non-EU processor.

The European Commission has been working on updating the SCCs to ensure that they comply with the EU’s strict General Data Protection Regulation, which took effect in May 2018.

Companies have asked the commission to provide additional SCCs as business models become more complex: a service provider might perform a function that sits somewhere between controlling and processing the data; or indeed it might do both. Or a data processor in the EU might subcontract part of its work to another processor outside the bloc, creating a contract where neither party is the data controller.

The revised SCCs now cover new ways of transferring personal data, such from a processor to a sub-processor.

The commission's revision was also needed after the EU Court of Justice annulled the EU-US Privacy Shield on July 16 and imposed requirements on the use of SCCs.

Attention has focused on SCCs as companies that have relied on the EU-US Privacy Shield have been scrambling to find another legal basis for transferring data outside the bloc.

Under the GDPR, companies can transfer data only to countries that provide “adequate” protection of personal data. The commission has declared that only 12 countries have such adequacy.

For all other data transfers, a company can use numerous tools, such as SCCs or Binding Corporate Rules, which allow for transfers within a group of companies. If companies transfer data without assuring that the data protection is “essentially equivalent” to the protection provided under the GDPR, they could be penalized by a European Data Protection Authority.

Supplementary measures

In its July ruling, the EU Court of Justice said that companies can continue to use SCCs, but they must first assess whether the laws in the country receiving the data don’t impinge on the obligations for data protection that would make complying with the SCCs impossible.

If a company determines that the laws of the data importing country could lead to surveillance of the personal data, then it needs to add “supplementary measures” to the SCCs.

To help companies make this assessment, which must be done on a case-by-case basis, the European Data Protection Board issued guidance yesterday. The EDPB provided five scenarios in which supplementary measures — such as encryption — would allow the SCCs to be used, and two scenarios in which the circumstances couldn’t be fixed with technical or organizational measures.

In today’s documents, the commission said: “Controllers and processors are encouraged to provide additional safeguards via contractual commitments that supplement the standard contractual clauses.”

The commission released four modules for SCCs: controller to controller, controller to processor, processor to processor and processor to controller. The draft SCCs are subject to public consultation until Dec. 10.

For a year after the new SCCs are formally approved, companies can continue to rely on SCCs from 2001 and 2010 “for the performance of a contract concluded between them before that [approval] date, provided the contract remains unchanged, with the exception of necessary supplementary measures,” the commission added.

Related Articles