On June 4, 2021 the European Commission released two new sets of Standard Contractual Clauses (Standard Clauses or SCC), which can be used to govern transfers of personal data under the General Data Protection Regulation (GDPR). The prior versions of the Standard Clauses, which are currently in use to allow for transfers of personal data out of the European Economic Area to countries without an 'adequate' level of protection for personal data (Adequacy Decision), will gradually be phased out and will need to be replaced by the revised versions. While the revised SCCs allow for more flexibility in contracting than the prior versions, they also include increased documentation and security requirements, which present a greater compliance burden.
Under the GDPR, personal data relating to data subjects from the European Economic Area (EEA) may only be transferred out of the EEA under certain conditions. Personal data may be transferred to a country deemed to have an Adequacy Decision from the European Commission, such as Israel, without additional measures in place. However, when transferring data to a country without an Adequacy Decision, such as the US, additional measures are needed. Until July 2020, transfers to the US were permitted under the EU-U.S. Privacy Shield framework. This mechanism was invalidated under the 'Schrems II' decision of the European Court of Justice. The Schrems II decision clarified that Standard Clauses (released before the GDPR was enacted) may continue to be used, provided that the controller is responsible for: (i) ensuring that the data protection laws in the recipient country are adequate and (ii) proper safeguard of personal data, including by instituting additional data protection mechanisms as needed. Suggested measures include certain types of encryption, pseudonymization, and anonymization.
Two new versions of the SCC were released, one of which is intended to govern transfers of personal data between controllers and processors generally and an additional version which allows for transfers of personal data out of the EEA. The new versions take into account the requirements of the GDPR as well as the interpretation of the Schrems II decision.
The new versions of the SCC provide flexibility and allow for use in various transfer scenarios. While the prior version only allowed for transfers from controllers to processors or between two controllers, the new version allows for transfers from processors to sub-processors and from processors to controllers and also allows for the possibility of transfers among multiple parties.
Under the new SCC, the data exporter must warrant that it has used reasonable efforts to determine that the data importer will be able to comply with the requirements of the SCCs. Both parties are required to warrant that they have no reason to believe that local laws in the recipient country would prevent them from fulfilling their obligations under the GDPR.
Along with these additional warranties, the new SCC have greatly increased documentation requirements. While the GDPR and the Schrems II decision required that parties investigate the applicable law in the recipient country and implement technical measures to ensure an adequate level of security, the new SCCs require that such efforts be documented and made available upon request to the data exporter, controller or regulator. Data importers are required to set out in specific detail the technical and organizational measures used to protect personal data involved in the transfer.
Concern over governmental inquiries in the recipient country that would require access to personal data led to the invalidation of the EU-U.S. Privacy Shield. The new SCC require that, where possible, if a request is received from a governmental authority or in case of any direct access by public authorities to such personal data, the data importer shall notify the data exporter and data subjects, review the request, and under some circumstances, challenge the request.