On 4 June 2021, the European Commission published the final implementing decision on standard contractual clauses (new SCCs) for the transfer of personal data from the EU to “third countries” such as the United States. The new SCAs will repeal and replace the existing CCS (from 2001, 2004 and 2010) and address the entry into force of the General Data Protection Regulation (GDPR) and the decision of the Court of Justice of the European Union (CJEU) of 16 July 2020 in the Schrems II case, which invalidated the EU-US Privacy Shield. These will replace the old 2010 Standard Contractual Clauses. The new clauses reflect changes implemented with the eu`s new data protection law, the General Data Protection Regulation (GDPR) of 2018. The GDPR restricts the types of personal data that can be legally transferred. Following the Schrems II decision, the European Data Protection Board published its “Recommendations 01/2020 on measures to complement transfer instruments to ensure compliance with the EU level of protection of personal data” for public consultation. [13] The recommendations of the European Data Protection Board should “assist exporters (whether controllers or processors, private entities or public bodies processing personal data under the GDPR) in the complex task of assessing third countries and, where appropriate, identifying appropriate complementary measures” by “taking a number of measures, potential sources of information and some examples of complementary measures could be taken. [14] Until recently, the two most commonly used mechanisms in the United States were the former CCAs and the EU-U.S. Privacy Shield Framework (the “Framework”). However, in July 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the case of Data Protection Commission v. Facebook Ireland, Schrems (“Schrems II”) invalidating the Framework. The CJEU said that due to US surveillance laws, which allow excessive collection of personal data from the EU without taking into account the principles of proportionality, necessity and redress, the framework cannot provide protection essentially equivalent to the protection guaranteed in the EU.
Since then, Framework-certified companies have had to resort to other approved mechanisms, and parties relying on the former CLAs have had to reassess their compliance with these CLAs in the light of the Schrems II decision. Agreements between employers and third parties must be correct and include all categories of personal data transmitted and all purposes for which the data will be used. All companies that export and import personal data from the EU must be parties to the deal, Gordon said. For data importers who are subcontractors, as modules two and three also include the mandatory clauses of the GDPR, they are likely to be used only for transfers outside the EU to data processors (whereas the former CTCs were previously generally attached to a separate data processing agreement (“DPA”) that included the mandatory clauses of the GDPR). Modules two and three can reduce or even eliminate the need for a separate DPA, but it is important to note that since the SCC Set One remain valid, the SCC Set Two cannot be modified and all the conditions of a current DPA you have will be replaced by the SCC in case of conflict. If your company is a data processor outside the EU, we recommend that you review and compare the DPAs you currently have with applicable third parties to understand your future obligations – especially as these new CTCs may become the new market standard. You can also extend new CTCs to meet the specific needs of your business, which is possible as long as these additions don`t contradict or distract from written CTCs. On 4 June 2021, the European Commission published two new sets of Standard Contractual Clauses (“SCCs”): (i) one for the processing of personal data between controllers and processors subject to the General Data Protection Regulation (“GDPR”) and (ii) the other for the transfer of personal data outside the European Union (“EU”). The updated CLAs allow more than two parties to comply with the terms of the contract with the CLCs and allow other controllers and subcontractors to “join the standard contractual clauses as exporters or importers of data throughout the life cycle of the contract to which they belong”. This more complex contractual “ecosystem” was not taken into account by the former CCTs. These decisions aim to provide companies with more comprehensive contractual tools that they can implement before processing or transferring personal data from the EEA in accordance with the new requirements of the GDPR.
Unlike the old CCT, which only applied to controller-to-controller (“C2C”) and controller-to-processor (“C2P”) transfers outside the EEA, the new SCCs include various modules that the parties can select and complete depending on the circumstances of the transfer (C2C, C2P, P2P and P2C). In addition, the new CLAs that apply to the transfer of personal data outside the EEA take into account the judgment of the Court of Justice of the European Union (“CJEU”) of 16 July 2020 in the Schrems II case. The new CTCs better reflect the requirements of the GDPR, which was adopted in May 2018, as well as the July 2020 ruling of the Court of Justice of the European Union (CJEU) in Schrems II, which invalidated the EU-US Privacy Shield with a legal opinion that also affected transfers relying on THE SCCs. In general, the new CCTs are an improvement over previous standards, as they offer greater flexibility for long and complex processing chains and a “single point of entry that covers a wide range of transfer scenarios”. (See press release “European Commission adopts new tools for secure exchange of personal data”, 4 June 2021.) “The new standard contractual clauses also require that this assessment be documented and made available to EU data protection authorities upon request,” Gordon said. “Many U.S. multinationals will have to rely heavily on external consultants to prepare for the required assessment.” The new CTCs are not necessary for the transfer of personal data from the United Kingdom. The UK intends to publish its own standard contractual clauses by the end of 2021.
All new contracts must use the new standard contractual clauses after September 21, 2021. If, after this period, employers with employees in the EU provide data without adequate legal protection, they could face fines or legal proceedings. Regulators “have the power to order the suspension of data flow outside the EU. Such an order could be very disruptive for a U.S. multinational that centralizes and manages all employee data worldwide in a personnel information system stored on a server in the United States,” Gordon explained. On 4 June 2021, the European Commission published a new set of standard contractual clauses aimed at providing adequate safeguards for the transfer of personal data to a non-EEA country in the absence of an adequacy decision by the European Commission for that country (“new CCTs”). [17] The new CLAs are based on the old ones and should therefore be used “as is”. [18] However, the new SCAs are more comprehensive than the previous CCSs and are intended to provide parties with flexibility to deal with complex data transfer scenarios. [5] Unlike other frameworks for the transfer of personal data outside the EEA provided for in Articles 46 and 47 of the GDPR, such as Binding Corporate Rules (“BCRs”), approved codes of conduct and certification mechanisms, or ad hoc contractual clauses negotiated in private between controllers and/or processors. All of these mechanisms require or require the intervention of a regulatory authority or a certified/authorised third party to monitor and authorise the transfer of personal data outside the EEA.
The new standard contractual clauses require companies to provide their employees with more information about data transfers than before under the GDPR. “Multinational employers with employees in the EU may need to review and redistribute the data processing notices they have previously provided to employees,” Gordon confirmed. . .