Navigating GDPR Cross-Border Data Transfers to the US
- Regulatory & Compliance
- 6 Mins
On June 4, the European Commission issued new standard contractual clauses (SCCs) for personal data transfers from EU member states to other countries. This change comes on the heels of the landmark Schrems II case that alleged prior practices interfered with General Data Protection Regulation (GDPR) compliance. This update was definitely due, as the SCCs had not previously been modified since the law’s enactment and failed to account for increased disclosure risks associated with the digital age. Data protection is a trending global concern not only for maintaining privacy but also to establish confidence in the digital marketplace.
The old SCCs were repealed on Sept. 27, 2021 and anyone using them before this deadline can deem the clauses effective until Dec. 27, 2022. Organizations located in the U.S. that will need data for litigation or investigations should brush up on the Schrems II ruling and SCC modifications to ensure lawful and expeditious cross-border data transfers.
Schrems II Decision
In July 2020, the Court of Justice of the European Union issued this pivotal decision that sparked the subsequent SCC overhaul. The case was originally filed by a consumer activist who was unhappy with Facebook’s data transfer policies between the U.S. and Ireland. He argued that allowing personal data transfers to the company’s U.S. headquarters put data at risk for interception or access by government intelligence agencies. The Court agreed and found the prior SCCs insufficient and noted that data transfer impact assessments will shed light on when extra measures are needed to adequately protected sensitive data during transmission – specifically looking at when a country does not offer the same level of protection and consumer rights as the EU. The Court particularly made note of the risk of U.S. government agencies having broader access and surveillance capabilities to data transferred between private companies.
Under the GDPR, personal data transfers are only authorized when adequate safeguards are in place to secure the data. Some countries like Canada and Japan have received adequacy decisions from the European Commission deeming their privacy laws good enough to facilitate secure transfers. The U.S. has not received this designation and was relying upon the old SCCs or EU-US Privacy Shield Framework to facilitate transfers prior to the Schrems II ruling, which invalidated both of these mechanisms.
Since the ruling came down in July 2020, there has been a lot of unknowns and affected organizations have been waiting to see how the European Commission would alter the longstanding SCCs, as this is one of the most common ways that cross-border data transfers from the EU occur not only in the U.S. but all over the globe. U.S. organizations were additionally affected since the Privacy Shield Framework was immediately invalidated when the Schrems II decision came down last July. Now there are answers and organizations should review the new SCCs thoroughly so they can prepare accordingly.
Important SCC Revisions
The new SCCs focus on increased accountability, transparency, and maintaining GDPR-level protection when data flows to other countries that have lower privacy standards. While there are some limited exceptions where these clauses are unnecessary to effectuate a transfer, they will be required in the vast majority of cases involving data export to U.S. organizations and other countries not deemed adequate by the European Commission. Here are some key revisions:
Modules: To provide more transfer specificity, the new SCCs offer four different modular clause options: 1) controller-to-controller, 2) controller-to-processor, 3) processor-to-controller, and 4) processor-to-processor. The last two were not options in the old versions and offer more clarity for how organizations effectuating those types of transfers should proceed to maintain GDPR compliance. While the language in the modules need to remain intact, parties can incorporate them into larger contracts and add additional terms that keep in line with the new SCCs and do not violate protections that the GDPR affords to consumers in regards to their personal data.
Extraterritorial Application: An organization exporting data does not need to be physically located in the EU to utilize the new SCCs, which differs from the previous rules. The data exporter just needs to be subject to the GDPR, like if they process EU consumer data or offer products to EU data subjects. However, it appears more clarity is needed when it comes to the data importers as the new SCCs only apply when their processing activities do not fall under the GDPR’s purview. Hopefully there will be future guidance about whether this means importers falling under the GDPR’s extraterritorial scope do not need to utilize SCCs, as this deviates from practices under the prior clauses and poses regulatory conflict.
Assessment and Risk: As an added layer of protection, both parties are now required to carry out a data transfer impact assessment to affirm there will be compliance. There are assessment criteria and risk factors laid out, two major ones being the importer country’s privacy laws and intended transfer safeguards. If a public body requests access to personal data subject to the GDPR, then the importer must follow certain directives to avoid unlawful disclosure that interferes with EU consumer rights.
Other Important Revisions: The new SCCs provide some restrictions for onward data transfers to other organizations located outside the EU and the use of sub-processors without prior consent. All agreements need to be explicitly included in the contract clause to avoid future disputes. Multi-party agreements utilizing the new SCCs are also authorized. Additionally, there are more data breach and security obligations included to guarantee adequate protection during transfers.
Remember, this is just an overview of some key features and organizations looking to effectuate these clauses should review the new text and any further guidance closely.
In order to remain GDPR-compliant and avoid increased liabilities, organizations that will require data transfers from the EU need to become familiar with the new SCC requirements and make necessary policy changes. Failure to do so could result in delays or the inability to transfer data that is crucial to U.S. lawsuits or investigations. The most important thing is to document all activities to promote transparency. This includes written contracts including the proper clauses, all processing activities, notices of roadblocks to compliance, remediation efforts, consumer notifications, and correspondence. Designate appropriate contacts to handle transfers, contracts, negotiations, and disputes. Rescind prior policies that violate the new SCCs and provide internal training opportunities to all individuals involved in these processes. If utilizing a third-party vendor, make sure they are familiar with the new requirements and take steps to provide added security.
For U.S. organizations in particular, utilizing the new SCCs may not be sufficient in all instances and additional measures could be required – like challenging data access requests from a public body. It is also of the utmost importance to create plans for data transfer impact assessments as soon as possible. Account for all necessary factors, designate team member responsibilities, and create clear process outlines. While not explicitly required since the SCC encompasses more protection efforts, organizations should also consider executing separate Standard Data Protection Agreements to cover all bases.
Following the steps above should help avoid future roadblocks and simplify the transfer process in light of recent changes. It is important to monitor any additional revisions, guidance issued, or case law that could change cross-border data transfer procedures.
If you found this blog interesting, consider reading Recent GDPR Fines Against Amazon and WhatsApp Set New Records.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.