Last week, following a lengthy review, the European Commission has finally approved an updated version of the Standard Contractual Clauses (SCCs) to govern data transfers. Companies will have approximately 18 months to overhaul and adapt their data agreements and privacy practices to meet the requirements of the new SCCs.
This may be a familiar situation for US-based and other non-EU companies. Back in 2018, the General Data Protection Regulation (GDPR) was passed in Europe and permanently changed the privacy legal landscape for both EU companies as well as companies abroad. Non-EU companies who did not normally fall under the jurisdiction of EU authorities suddenly found themselves subject to the extra-territorial scope of the GDPR. Even more, other non-EU companies outside the direct scope of GDPR found themselves indirectly subject to GDPR, due to their receipt and processing of EU personal data. Given the hefty fines that can be levied for violations of GDPR, companies had no choice but to overhaul their data agreements and privacy practices to comply.
Since 2018, countries have updated their privacy laws at a dizzying pace. In the US, multiple states have passed or are contemplating more stringent consumer privacy laws. Internationally, countries are looking to GDPR as a model and have passed (or are considering) their own implementation of a comprehensive privacy regulation. To further complicate things, last year the European Court of Justice ruled in the Schrems II case to invalidate the EU-US Privacy Shield as a transfer mechanism and impose additional requirements for companies with respect to data transfers.
Not surprisingly, many companies have found it straining to keep up with the pace of change in privacy law, including non-EU companies who may not be directly subject to GDPR. In many cases, non-EU companies must transact with customers, partners, and other third parties at an international level and will often receive demands that they verify compliance with various privacy laws. Similar to when GDPR passed in 2018, non-EU companies who are not directly subject to GDPR can expect to find themselves having to comply with additional privacy obligations under the new SCCs by virtue of their interactions with EU-based entities or EU personal data.
Considerations for Non-EU Companies
The new SCCs take a modular approach which can be configured to different data transfer scenarios. In addition to controller-to-controller and controller-to-processor transfers, there are modules for processor-to-processor and processor-to-controller transfers. While this may be a welcome change for EU data exporters who now have more flexibility in addressing various transfer scenarios, non-EU data importers may find they now have to document and comply with exponentially more data transfer requirements. Particularly, many non-EU vendors are not only a processor of EU data, but are also an exporter as well as a sub-processor, depending on the scenario.
Taking into account the Schrems II ruling, the new SCCs contain express obligations for both parties to confirm that the laws of the destination country provide sufficient data protection, especially against data access by government authorities. This obligation falls on both data exporters and data importers. Consequently, non-EU companies will now need to conduct and document their own data transfer risk assessment. Since, as mentioned above, many non-EU vendors often find themselves in various roles depending on the data transfer scenario, it’s likely these non-EU vendors will need to maintain multiple transfer risk assessments.
The new SCCs also impose specific requirements on data importers in reviewing and responding to government access requests. Specifically, data importers must (i) review the legality of the access request, (ii) challenge the request if deemed unlawful, and (iii) pursue all other available legal remedies, including appeal, suspension, and delay. The data importer will not only need to implement an internal policy to comply with these requirements, they will also need to document in detail their response to any government access request and make such information available to the data exporter and relevant supervisory authority upon request. Under these new requirements, non-EU companies may find themselves squarely in the middle in the event of any government access request. They will likely bear the legal and administrative burden of responding to an access request by their own government, while maintaining compliance with divergent objectives under the new SCCs.
What’s Next?
The new SCCs impose numerous new obligations on both data importers and exporters. Companies will need to review their customer, vendor, partnership and other commercial agreements and carefully consider their role with respect to personal data. They should also plan to incorporate the new SCCs into their data agreements within the next 18 months.
Beyond a documentation overhaul, the new SCCs also require companies to document and maintain specific policies and documentation, including a transfer risk assessment and policy on government access response. Non-EU companies who are not directly subject to the GDPR may now find themselves needing to significantly bolster their internal privacy compliance program to meet the requirements of the new SCCs. Early stage companies without internal legal counsel will likely need the assistance of outside counsel to achieve compliance.
Non-EU vendors should also expect increased scrutiny from their customers regarding any processing or transfer of data. The new SCCs expressly require data importers to provide relevant transfer risk information to the data exporter and also contain additional transparency requirements in certain transfer scenarios. It’s likely that customers will exercise their rights as data exporters under the new SCCs to require evidence of compliance as well as other information or assistance from their vendors.
Looking ahead, the new SCCs may further shape the commercial and privacy legal landscape in a manner similar to GDPR. For example, when GDPR passed in 2018, it introduced the requirement of a data agreement to govern any processing of personal data. Since 2018, data agreements have become an integral part of most B2B commercial agreements and are now commonplace even in transactions outside the scope of GDPR. Today, most vendors will find it difficult to engage customers without offering a data agreement and certain privacy assurances. In the same vein, over the next few years, the requirements of the new SCCs may evolve into a general expectation for B2B engagements. Non-EU companies who can demonstrate proficiency with the new SCCs requirements will be able to differentiate themselves from those who cannot.
This article was originally published on Law.com on June 10, 2021.