The European Commission, after a lengthy review, approved a new version of the standard contractual clauses (SCCs). For those who are unfamiliar, the SCCs govern the transfer of data from the European Economic Area to third countries that have not been deemed by the European Commission to provide “adequate” protections for data subjects’ rights and freedoms, including the U.S.
Companies will have approximately 18 months from now to adapt their data practices to meet the requirements of the new SCCs.
Ever since the European Court of Justice (ECJ) invalidated the EU-U.S. Privacy Shield framework last year in the Schrems II case, the SCCs have emerged as the predominant transfer mechanism used by companies for their privacy compliance programs. However, the ECJ’s ruling left open questions around measures companies need to take to conform to the ECJ’s analysis of U.S. government access to personal data under the old SCCs. The new SCCs helps bring some clarity to this issue.
At the same time, companies worldwide are reeling from the unrelenting pace of privacy law updates that have been or are being rolled out. In the U.S., numerous states have passed or are contemplating more stringent consumer privacy laws.
Internationally, countries are looking to the GDPR as a model and have passed, or are considering, implementing their own comprehensive privacy regulations. Not surprisingly, many organizations are left with limited bandwidth to take on additional changes to their privacy compliance programs. Still, given the extra-territorial reach of the GDPR, companies will not be able to disregard the new SCCs. Failure to comply can result in significant penalties, including of up to €20 million ($24.23 millin) or 4% of annual turnover.
What Needs to Be Done?
Companies will need to stop actively using the old SCCs in approximately three months. At that time, all new data transfers or modifications to existing data transfers must implement the new SCCs. From there, companies will have approximately 15 months to amend all of their existing contracts to include the new SCCs in order to maintain GDPR compliance.
In order to comply with the new SCCs, many companies, especially U.S. businesses, will need to significantly update their privacy compliance programs beyond just an overhaul of existing commercial data agreements. Unlike the old SCCs, which only contemplated controller-to-controller and controller-to-processor data transfers, the new SCCs cover a wider range of transfer scenarios in which a company may have a role.
Under the new SCCs, one business relationship can now encompass exponentially more transfer scenarios. Depending on a company’s role, it may be required to revise its privacy notice, implement additional security measures, and make updates to its internal privacy practices.
Additionally, all parties under the new SCCs will be required to carry out and document (1) their own risk assessment regarding a restricted data transfer and (2) policies designed to challenge and fend off government requests to access personal data.
Companies will not only need to implement new internal policies to meet these requirements, they will also need to keep detailed records demonstrating their compliance and make these available (including for audit) pursuant to transparency requirements in the new SCCs. In order to do so, companies will need to have processes in place to actively monitor their compliance with the new SCCs across a variety of business relationships.
For most organizations, complying with the new SCCs will impact many stakeholders, including legal, privacy, security, operations and also those indirectly or directly responsible for customers (both existing and new), partnerships, and suppliers. When implementing the new SCCs, companies should consider:
- Collaboration between relevant functional groups to assess an organization’s role in vendor, customer, partner, and intra-group relationships, under the new SCCs framework.
- Whether any requirements under the new SCCs can be folded into existing internal privacy policies and privacy program initiatives.
- Taking into account the 18 month deadline, plan to incorporate the new SCCs into existing contract renewal time frames, so as to reduce friction and increase the likelihood of adoption.
For multinational companies, updates to reporting, response, security and other internal policies as well as any additional compliance required by the new SCCs should be coordinated across geographies with respect to restricted data transfers. At the other end of the spectrum, smaller companies that do not have an internal privacy function will likely need to engage assistance of outside counsel in order to meet the requirements of the new SCCs in the required time frame.
Non-EU-based vendors should also anticipate additional scrutiny and diligence from prospective customers regarding compliance with the new SCCs.
While the new SCCs help resolve some much-debated questions regarding the Schrems II ruling, adopting and complying with the new SCCs will likely be a hefty administrative and operational task for many organizations. This burden may be especially acute given both the prevailing reliance on the SCCs in data agreements and also the fact that organizations have stretched their resources in recent years just to keep up with the pace of change in the global privacy regulatory landscape.
To minimize the operational burden, companies should immediately begin planning for implementation of the new SCCs with a long lead time, so as to maximize synergies with their existing privacy programs and take advantage of natural contract renewal cycles.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Catherine Zhu is a data privacy and technology transactions attorney with Foley & Lardner LLP. She has advised hundreds of high-growth companies on commercial and data privacy matters, including how to implement business intelligent privacy strategies within a complex regulatory environment.