Importers of EU data will need to analyze each data transfer for compliance with the new Standard Contractual Clauses; solely relying on data subjects’ consents may not be sufficient.
Since the European Court of Justice invalidated the EU-US Privacy Shield last year in its landmark Schrems II decision, importers of EU data have increasingly relied on Standard Contractual Clauses (SCCs) for international data transfers between the European Economic Area and countries without adequate data protection according to the European standard. The SCCs are important in the edata/ediscovery world, where relying on the so-called derogations (EU General Data Protection Regulation (GDPR) Article 49) is often not an option or is insufficient to ensure that European data can be securely transferred to the United States for litigation and investigation purposes.
The SCCs adopted by an Implementing Decision by the European Commission (EC) dated June 4, 2021 (New SCCs) offer a modular, flexible approach for a variety of data transfer scenarios. But the very detailed New SCCs, at 34 pages, also incorporate numerous Schrems II obligations, which makes their use burdensome. In particular, a detailed data transfer impact assessment (also called a risk analysis) will be required. Just signing and shelfing the New SCCs, which are available immediately, is not an option.
The previous SCCs, adopted long before the GDPR, only accounted for transfers between one controller and another controller or processor. In contrast, the New SCCs have four modules:
The New SCCs require data exporters to use “reasonable efforts” to confirm that a data importer can satisfy its obligations under the clauses.
The mentioned data transfer impact assessment must be thoroughly performed and documented. The data exporter must make the full documentation available to the data protection agency when requested. The assessment must cover the laws of the data importer’s country (especially its provisions on surveillance and data access) and practices that would prevent an EU-equivalent level of protection. In particular, the following elements must be considered according to Annex II to the Commission Implementing Decision on SCCs:
Recital 20 of the EC’s Implementing Decision also states that, regarding the impact of local laws on compliance with the SCCs, different elements must be considered as part of an overall assessment, including the following:
Probably in all relevant cases, the SCCs alone will not guarantee an adequate level of protection and supplementary safeguards will need to be implemented. There are three categories of safeguards:
Some examples from Annex II include measures for the following:
The New SCCs are very significant for data importers in the European Economic Area. Under Article 49(1)(e) of the GDPR, data transfers may take place when “the transfer is necessary for the establishment, exercise or defense of legal claims,” but this exemption (derogation) is limited. In a litigation or investigation scenario, relying (solely) on consents of the data subjects may not work. Every scenario will require an individual compliance analysis.
While the New SCCs provide guidance for lawfully transferring data to third countries, it is the parties’ obligation to ensure compliance with the GDPR and to document the relevant US law and practices. The EC does not provide a template for such an assessment. An incomplete or incorrect implementation of the SCCs opens them to litigation risks in Europe and potential fines under the GDPR.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: