The ruling that the EU-U.S. Privacy Shield is no longer a valid data transfer mechanism under GDPR accelerated the timeframe for new SCCs, but there’s still work to be done. Here’s what you need to know to stay compliant.
To secure data and enable transatlantic commerce, organizations leaned on the EU-U.S. Privacy Shield, a framework designed to demonstrate that organizations have implemented controls to protect personal data when transferred from the European Union (EU) to the United States (U.S).
In today’s always-connected world, the amount of personal data processed and collected is ever increasing. Though insight into consumer preferences can enable organizations to make better business decisions and provide consumers with more effective products and solutions, organizations face a significant challenge: complying with rigorous data privacy regulations. Privacy Shield was designed to help organizations do just that.
However, in July 2020, the Court of Justice of the European Union (CJEU) issued a judgement that invalidated the adequacy decision provided to the EU-U.S. Privacy Shield under Article 45 of the General Data Protection Regulation (GDPR).
The Adequacy Decision and the New SCCs
Adequacy decisions are determined by the European Commission based on information regarding adequate data protection policies in place by a third country or international organization. Basically, a non-EU country needs to state what data privacy policies are in place to protect the personal data of EU residents and illustrate the processes and procedures implemented to ensure personal data transfers receive an essentially equivalent level of protection to the data protection regulations defined by the EU.
When the EU-U.S. Privacy Shield adequacy decision was invalidated, many organizations were left scrambling to determine what to do. In fact, many organizations shared that the ruling made it incredibly difficult to lawfully transfer personal data across the Atlantic, which put them in a tough spot. Organizations needed to quickly identify a solution to ensure they could continue doing business abroad while satisfying data privacy requirements.
The New Version of Standard Contractual Clauses (SCCs)
The existing SCCs — initially created in 2001 and last updated in 2010 — seemed like a good option to fill the gap after the adequacy decision afforded to Privacy Shield was invalidated as a data transfer mechanism under Chapter 5 of the GDPR.
In June 2021, the European Commission approved a new version of SCCs that included the creation of a modular design and accounted for a variety of processing relationships due, in part, to the CJEU’s ruling in Schrems II in July 2020. In fact, Section III of the new SCCs specifically addresses Schrems II requirements.
The creation of four modules as part of the new SCCs accommodate various controller and processor relationships. This ultimately allows organizations to account for more scenarios involving international data transfers.
The four modules include:
- Controller-to-Controller (Module 1)
- Controller-to-Processor (Module 2)
- Processor-to-Processor (Module 3)
- Processor-to-Controller (Module 4)
Worth noting, however, despite the SCCs being updated and more user friendly, there is still a requirement to analyze each data transfer on a case-by-case basis and for the implementation of supplementary measures as necessary to ensure the importer receiving the data provides an essentially equivalent level of data protection to that of the EU.
Challenges and Deadlines with the New SCCs
The introduction of the new SCCs is also accompanied by new deadlines. In fact, with the approval of the new SCCs, the European Commission stated organizations have less than 18 months to comply with the updated guidance or open themselves up to the risk of noncompliance with the GDPR.
|September 27, 2021||Organizations with pre-existing SCCs have three months to complete the transition. This means that every new data transfer, or modifications to existing data transfers, must be done in accordance with the new SCCs.
The old SCCs cannot be used in any new contracts beginning September 28, 2021.
|December 27, 2022||Organizations must move all existing data transfers to adhere to the new SCCs.|
The key takeaways from the latest updates around the GDPR and SCCs is this: don’t wait.
A-LIGN recommends getting started with the following actions:
- Analyze Personal Data Transfers. Though it makes sense that an organization should know who it transfers data to and what data transfer mechanism is relied on to transfer data from the EU, it can be a lot of work to manually compile this information and document the data transfer mechanism for each transfer.
- Repapering Data Processing Agreements. If your organization relied on the prior version of the SCCs, or the now invalidated EU-U.S. Privacy Shield, you have an obligation to review all such transfers. As part of this review process, you need to either identify a new data transfer mechanism or update to the new version of the SCCs by the established deadlines.
- Supplementary Measure Analysis. If your organization chooses to rely on the updated SCCs, then your organization will have an additional requirement to carry out and document an analysis and rationale around each personal data transfer out of the EU, and the technical and organizational controls in place to ensure an essentially equivalent level of protection. Organizations will also need to keep detailed records that demonstrate their compliance and show accountability.