In June 2021, the European Commission adopted new standard contractual clauses for transfers of personal data to non-EU countries.
If your company relies on standard contractual clauses, here is all you need to know.
Why were the new standard contractual clauses adopted?
1. The Privacy Shield Invalidation
In July 2020, the EU-US Privacy Shield was invalidated as it did not meet the GDPR standard for data protection.
After the invalidation, companies had to either adopt GDPR-approved mechanisms or stop transferring data outside the EU.
As a result, many businesses turned to standard contractual clauses (SCCs).
However, the standard contractual clauses were last updated in 2010. They did not take into account the GDPR nor the Privacy Shield invalidation. Therefore, a revision of the SCCs was much needed.
2. The Schrems II judgment
Following the Schrems II judgment, companies must verify, on a case-by-case basis, that all data transfers provide the same level of protection as if they were carried out within the EU.
In particular, the Court established two main requirements for companies transferring personal data outside the EU:
- Assess the local law in the jurisdiction where the EU citizens’ personal data is transferred.
- Implement supplementary measures to ensure all data transfers provide the level of protection required by EU laws.
However, the Court did not specify how companies should conduct the assessment nor what measures could be implemented. And that’s where the new standard contractual clauses come into play.
What’s the purpose of the new standard contractual clauses?
The new SCCs are meant to help data exporters assess third countries and implement appropriate supplementary measures.
Complying with the new standard contractual clauses
To help companies doing business outside the EU comply, the European Data Protection Board (EDPB) has adopted the following recommendations:
1. Document and map your transfers.
You should map all transfers of personal data to non-EU countries and ensure that you only transfer data that is absolutely necessary.
According to the EU Commission, some countries provide an adequate level of data protection. If you transfer data to one of these countries, mapping your transfers and monitoring the adequacy of the country is enough to comply.
As of August 2021, the EU Commission recognizes the following countries and regions as adequate:
- Canada (commercial organizations)
- Faroe Islands
- Isle of Man
- New Zealand
The adoption process of an adequacy decision for data transfers to South Korea has been launched in June 2021.
2. Identify your data transfer tools.
To transfer data to a country that is not considered adequate, you need to either:
- Use one of the transfer tools listed under Article 46 of the GDPR, such as standard contractual clauses, binding corporate rules, approved codes of conduct, certification mechanisms, etc.
- Rely on one of the derogations set out in Article 49 of the GDPR (if you meet certain conditions).
If you rely on the derogations, you don’t need to take any further steps.
However, if you use one of the transfer tools, continue reading.
3. Assess the level of data protection in the third country.
Start by assessing if the national law of the third country protects personal data at the same level as the GDPR.
Additionally, check if public authorities have excessive power when it comes to invading people’s privacy. If they do, you will have to suspend the data transfers or implement adequate supplementary measures.
Companies should use the European Essential Guarantees recommendations as guidance on assessing the level of protection.
The assessment should be performed with due diligence and thoroughly documented (to be provided to authorities upon request).
4. Identify and adopt supplementary measures.
If the assessment reveals a need for them, you must adopt supplementary measures. This is necessary to bring the level of protection up to the EU standard.
The assessment of supplementary measures should also be conducted with due diligence and documented.
Examples of supplementary measures are:
- Pseudonymization and encryption of personal data
- User identification and authorization
- Ensuring the physical security of the locations where personal data are processed
If no supplementary measures are suitable, you must suspend or end the transfer.
5. Take the required formal procedural steps.
For example, you might need to update your SCCs to include other requirements after implementing the supplementary measures.
6. Continuously monitor developments.
You need to periodically re-evaluate the effectiveness of the data protection measures in place.
This step includes ongoing monitoring of the jurisdictions to which the data is transferred as regulatory changes might affect the level of protection.
For instance, if a new national data privacy law is adopted in the third country you do business with, you must assess the country again.
The Privacy Shield Invalidation created uncertainty for companies that transfer data overseas.
Thankfully, the new Standard Contractual Clauses and EDPB recommendations clarify how businesses can ensure GDPR compliance in light of the Schrems II ruling.
However, meeting the new obligations is easier said than done. The complexity of the process could ultimately lead organizations to locate personal data within the EU and avoid transatlantic data transfers if not absolutely necessary.