European Commission Releases Additional Guidance on SCCs for International Data Transfers
On May 25, 2022, the European Commission announced the release of a new guidance document relating to standard contractual clauses (SCCs) and international data transfers. The guidance is included in a series of questions and answers, which the European Commission is making available for "general informational purposes only," but nonetheless to "provide practical guidance on the use of SCCs and assist stakeholders in their compliance efforts under the GDPR."
At a high level, SCCs are standardized data protection clauses that have been approved by the European Commission. Inclusion of SCCs in international data transfer agreements enables controllers and processors to comply with their obligations under the GDPR. The European Commission adopted two sets of SCCs on June 4, 2022: one that addresses various transfers between controllers and processors and one that addresses transfers outside the EU.
Because the US-EU Privacy Shield was invalidated by the Court of Justice of the European Union's (CJEU) 2020 "Schrems II" decision, SCCs have been the primary mechanism for transferring data from the EU to the US in compliance with the GDPR (for discussion of the Schrems II decision, see here). Prior guidance from European authorities explained that transfers under SCCs are acceptable so long as the personal data being transferred are subject to "essentially equivalent" protections as they would be in the EU. In order to achieve "essentially equivalent" protections, the European Data Protection Board has advised parties transferring data that they may need to adopt additional safeguards, such as encrypting the data prior to transfer (for further discussion of this guidance, see here).
Significantly for businesses transferring data outside of the EU, the new SCCs create an obligation, primarily on the data exporter, to conduct a "transfer impact assessment" to assess the destination jurisdiction's data protection laws which would govern the data to be received from the controller in the EU. When performing this analysis, businesses should consider the specific circumstances of the contemplated transfers, including the category and format of the data, the type of recipient, the economic sector in which the transfer occurs, and the length of the processing chain.
The guidance also illuminates the types of information that should be considered when conducting a transfer impact assessment. Specifically, the guidance notes that businesses may consider: (1) reliable information on the application of the destination country's domestic laws in practice, including case law and reports by independent oversight bodies, (2) the existence or absence of requests from the destination country's public authorities for access to data in the relevant sector, and, under certain conditions, (3) the documented practical experience of the data exporter and/or importer. Where there is a negative transfer impact assessment, the parties may only transfer data based on the SCCs "if they put in place additional 'supplementary' safeguards (e.g. technical measures to ensure data security, such as end-to-end encryption) that address the situation and thus ensure compliance" with the SCCs.
Looking ahead, the landscape for international data transfers may change significantly in the coming months based on the recent announcement that the US and EU have reached an "agreement in principle" on a new bilateral transfer framework. However, the details of that agreement have not been disclosed and it remains to be seen whether it will be formalized by US and EU authorities. Moreover, the new framework will almost certainly be challenged by Max Schrems, whose organization, NOYB, has already drafted an open letter opposing the agreement in principle and encouraged "negotiators on both sides of the Atlantic to advance much-needed reforms on US law." Moreover, Schrems "is prepared to challenge any final adequacy decision that would fail to provide the needed legal certainty." As such, notwithstanding any bilateral developments or possible changes to US Law, SCCs are likely to remain an important mechanism for effectuating GDPR compliant transfers of data from the EU to the US.