It's been over a year since the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement between the European Union (EU) and the United States (U.S.). What was once a valid mechanism for international personal data transfers under the General Data Protection Regulation (GDPR) was deemed inadequate to protect the privacy of the personal data of EU citizens. This decision forced many countries to find alternative measures for transferring personal data such as GDPR-sanctioned Standard Contractual Clauses (SCCs), binding corporate rules (BCRs), and derogations.
Eleven months after this abrupt July 2020 ruling, the European Data Protection Board (EDPB) published its final recommendations outlining guidance for making international personal data transfers that comply with EU data protection rules. The 48-page recommendations document includes two new sets of SCCs: one for use between controllers and processors and one for the transfer of personal data to third countries. These recommendations reflect both the requirements of the GDPR and the (invalidated) Privacy Shield agreement to ensure a high level of data protection for EU citizens.
In this blog, we'll take a closer look at the at these final recommendations on supplementary measures for personal data transfers recently issued by the EDPB and how your organization can prepare to implement these new changes.
Background
In its July 2020 Schrems II judgment, the CJEU invalidated the EU-U.S. Privacy Shield agreement on account of invasive U.S. surveillance programs. The court upheld SCCs for the transfer of personal data but required a high level of data protection, equivalent to that of the GDPR, in order to be used. This decision impacted over 5,000 U.S companies who were required to update their programs to rely on alternative transfer mechanisms as they waited on either practical long-term personal data transfer suggestions or a successor framework.
On June 4, 2021, the European Commission (EC) announced it had released guidance that outlines how organizations should approach international personal data transfers called "the Recommendations" following the aftermath of the Schrems II decision. The initial draft of the Recommendations was released in November 2020, when it adopted implementing decisions for the new SCCs and provisions to prevent organizations from considering the “subjective” likelihood that personal data would be accessed by law enforcement. Following the EC's introduction of the revised Recommendations just two weeks prior, the EDPB adopted its final Recommendations on supplementary measures for personal data transfers on June 21, 2021.
The Recommendations
The Recommendations feature a six-step process that organizations must follow to map personal data transfers and the mechanisms used for them. The process also includes sources of relevant information and examples of supplementary measures that can be put in place to ensure compliance with EU laws. In addition, if there are gaps in protection equivalent with relevant third-country laws, the Recommendations provides supplementary measures that can be applied to maintain protection.
The six steps are as follows:
- Know your transfers and verify that the personal data you transfer is adequate, relevant, and limited to what is necessary to the purposes for which it is processed via the transfer impact assessment
- Verify the transfer tool your transfer relies on such as SCCs, BCRs, and/or other technical and supplementary measures are adequate
- Assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on
- Identify and adopt supplementary measures that are necessary to bring the level of protection of the personal data transferred up to the EU standard of essential equivalence
- Take any formal procedural steps the adoption of your supplementary measures may require
- Reevaluate the level of protection afforded to the personal data you transfer to third countries and monitor if there have been, or there will be, any developments that may affect it
The New Standard Contractual Clauses
One of the most significant updates within the Recommendations is the substantial overhaul to prior versions of the standard contractual clauses. SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor. The new SCCs are designed to address the shortcomings the CJEU had identified when they dismantled the Privacy Shield agreement based on the Schrems II findings. The new SCCs also offer more flexibility to make personal data transfers that are compliant with the GDPR.
The new SCCs are written in a modular language which depending on the nature of the data transfer may apply and alter organization obligations. The four modules that can be used for data transfers include:
- Controller-to-Controller
- Controller-to-Processor
- Processor-to-Controller
- Processor-to-Processor
The old SCCs did not account for processor-to-processor or processor-to-controller personal data transfers. The new SCCs reinforce data subjects’ rights by including a provision that personal data exporters must provide data subjects with information and notice that personal data will be processed and the contact information for complaints or requests. Organizations must also notify the personal data exporter when it has received a data request from a non-European government and assess the validity and legality of complying with such a request. In addition, any significant alterations or modifications to the SCC templates must be approved by the EU Commission.
Timeline for the New Standard Contractual Clauses
Little time was wasted between when the new SCCs were adopted and when they went into effect. The new SCCs took effect on June 27, 2021, just 6 days after the EDPB issued its final recommendations, but the old SCCs can still be used for new personal data transfers (i.e., new contracts) up until September 27, 2021. Any existing personal data transfers (i.e., existing contracts) can be used until December 27, 2022, which is the absolute final date for all personal data transfers relying on the old SCCs.
What Now?
With the new SCCs already in effect, and not much time between now and December 2022, those hoping to continue to export personal data out of the EU would be prudent to start their implementation efforts now. Here's what to consider when implementing these new SCCs.
- Review your current international personal data transfer arrangements to ensure they remain compliant amidst these new changes via transfer assessment.
- Determine whether any internal administrative or technical changes will need to be implemented in order to enter into the new SCCs with contracts
- Identify all existing contracts that will need to be updated or amended by the specified deadlines
- Update old contract forms and ensure any new contracts use the new SCC language before the effective deadlines
- Prepare responses for information requests from EU customers seeking to assess the effectiveness of their transfer tools
While the new SCCs already took effect, any controllers and processors currently using previous versions have a grace period to transition to the new SCCs. And although these new SCCs were long-awaited, it will still take time to roll out any new amendments. If your organization currently relies on SCCs for its cross-border, personal data transfers, starting now will ensure all future contracts have the appropriate language and future personal data transfers can take place come December 2022.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.
