How to Comply With the EU’s New SCC Framework
Since the Schrems 2.0 decision, any organization involved in the international transfer of personal data between the EU and America has been eagerly awaiting a new set of Standard Contractual Clauses (SCCs). In short, the SCCs previously used for such transfers were written before the implementation of the EU’s General Data Protection Regulation (GDPR), so revisions were needed to bring them up to speed.
Since this decision, many previously trusted mechanisms for international data transfers have been either struck down or deemed irrelevant. The EU-US Privacy Shield – a framework used by over 5,000 companies – was invalidated, implying that the US could not ensure the data protection standard required by EU law.
Since then, the anticipation has been boiling for the EU to make official a new set of regulations that organizations can adhere to if they wish to transfer data from the EU. On June 4, that day finally came. Here is what you need to know about the new SCCs, which have been in place since June 27th.
What Is The Goal of the New SCCs?
The clauses’ purpose is to mend a hole in GDPR that allowed a substandard level of data protection to persist in the case of personal data transfers from the EU to a third country. Thus, organizations must view these clauses as not only a new set of rules for transfers, but a surefire way to comply with GDPR and meet the standard of protection demanded by the EU. The majority of the clauses can be enforced by data subjects against violating exporters or importers. Keep in mind, entities that use the old SCCs have until December 2022 to transition to the new ones.
A Wider Scope and New Modular Structure
One of the key differences between the new and old SCCs is that new ones have a “modular” structure, which means that different regulations are outlined for four different scenarios (or “modules”): controller-to-controller transfers, controller-to-processor transfers, processor-to-processor transfers and processor-to-controller transfers. The latter two were not included in the previous SCCs, meaning that outbound data transfers are now possible for EU processors.
The new SCCs further open data transfers up by including a docking clause, which permits multiple parties to form a contract around the clauses and additional parties to sign on, even once the agreement has been implemented. If a new entity chooses to become a party to the clauses, they will be subject to its obligations but will not be held accountable for any violations they committed prior to becoming a party.
Here are the principles and regulations for a valid data transfer for each of these modules:
Module One: Controller to Controller
A data transfer for this module is subject to no specific instructions, although there are many safeguards to which the parties must adhere.
Purpose Limitation: Importers may only process personal data for the specific purposes of the transfers. Importers may process for an additional purpose if:
They have obtained the data subject’s prior consent
The activity is necessary for the “establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings”
The activity is necessary to protect the rights of the data subject or another individual
Transparency: Data importers must inform subjects of:
The importers’ identity and contact details
The categories of personal data processed
The destination and purpose of any onward transfers
The subjects’ right to obtain a copy or a meaningful summary of the SCCs free of charge
Accuracy and Data Minimization: Each party is responsible for ensuring that data is accurate and up-to-date. If a party discovers any inaccurate or outdated data, they must either erase or rectify it as soon as possible, informing the other party of the situation. All data must be adequate, relevant and limited to what is necessary for the purpose of processing.
Storage Limitation: Data shall be retained for no longer than necessary for the purpose of processing. To ensure compliance with this obligation, safeguards must be put in place such as erasure and anonymization of all data and back-ups at the end of the retention period.
Security of Processing: Data importers and–during transmission–exporters must implement “appropriate technical and organisational measures to ensure the security of the personal data.” This includes protecting against breaches or other unlawful access, disclosure, loss, destruction or alteration of personal data.
When implementing safeguards, parties must assess the risks involved in processing, the costs of implementing safeguards and the nature, scope or purposes of processing. The clauses specifically encourage parties to consider encryption and pseudonymisation.
The importer is responsible for regularly checking that an appropriate level of security is being met and that any entity authorized to process the data is subjected to a confidentiality obligation.
Importers must also be prepared to address and mitigate the effects of a data breach involving an onward transfer of data. In the case of a breach “likely to result in a risk to the rights and freedoms of natural persons,” importers must inform exporters and supervisory authorities of the situation without undue delay, including:
A description of the nature of the breach, including categories and the number of data subjects and records compromised
The likely consequences of the breach
The measures that have been or will be taken to address the breach
Where and how to get more information about the breach
In the case of a “high risk” breach, importers must notify data subjects as well, giving them access to all the aforementioned information, excluding the description of the nature of the breach. An importer is excluded from this obligation if they have already implemented measures to reduce the risk to the subject, or if notifying subjects would involve “disproportionate efforts”, in which case importers must issue a public communication instead. All relevant facts regarding any breach must be documented by the importer.
Sensitive Data: Specific restrictions and additional safeguards, such as pseudonymization or restricting access permissions, must be implemented from transfers involving sensitive personal data. This includes data that reveals:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Criminal convictions or offenses
Genetic information
Identifiable biometric information
Information about the subject’s sex life or sexual orientation
Onward Transfers: Importers may not disclose the data to any third party located outside the EU, including a third party in its own country, unless the third party agrees to be bound by these clauses or the importer has obtained explicit and informed consent from the data subject. This excludes transfers to parties in third countries deemed by the EU to have an adequate level of data protection, or data activity that is necessary for fulfilling other legal obligations or protecting the vital interests of individuals.
Processing Under the Authority of the Importer: Importers must ensure that any entity acting under its authority processes data only on its instructions.
Documentation: All parties must document any processing activity conducted under these clauses and be able to demonstrate compliance. This documentation must be made available to a supervisory authority upon request.
Module Two: Controller to Processor
For this type of transfer, the importer may only process data on documented instructions from the exporter, which may only be given during the duration of the contract. The importer must immediately inform the exporter if it is unable to follow instructions.
Purpose Limitation: The importer may only process for a purpose other than the specific purpose of the transfer when instructed to do so by the exporter.
Transparency: Considering the processors role in an onward transfer, the only transparency obligation of importers in this module is to make a copy or a meaningful summary of these clauses available to the data subject free of charge.
Accuracy: If the importer discovers any inaccurate or outdated data, it must inform the exporter as soon as possible and cooperate with them to erase or rectify the data.
Duration of Processing: The importer may only process the data for the specified duration. After the processing ends, the exporter must choose whether it wants the importer to delete all the data on their behalf or return the data to them and delete existing copies. The importer must continue to comply with these clauses until the data is deleted.
Security of processing: The same breach notification and safeguard implementation obligations that exist for Module One exist here.
Importers may only grant personnel access to the data when strictly necessary to adhere to the contract and when the personnel in question are under a statutory obligation of confidentiality.
Sensitive Data: Module Two is subject to more or less the same obligations regarding sensitive data as Module One.
Onward Transfers: Importers may only disclose the information to a third party on documented instruction from the exporter. The extenuating circumstances for Module One apply here, with the exception of the processor not being able to seek consent from the data subject.
Documentation: The importer must adequately deal with any inquiries from exporters regarding processing under these clauses, documenting any processing activities carried out on the exporter’s behalf.
Importers must be able to demonstrate their compliance upon request from the exporter, cooperating with audits when reasonable or necessary. Such audits and documentation must be made available to supervisory authorities upon request.
Module Three: Processor to Processor
Module Three details the conditions for a new type of transfer that was not allowed under previous SCCs. In cases where both the exporter and importer are processors, the exporter must inform the importer that it acts as a processor under the instructions of a controller prior to processing. The importer may process only on documented instructions from the controller, as communicated by the exporter. In cases where the importer can not oblige, it must immediately inform the exporter who must then immediately inform the controller.
Purpose Limitation: The importer may only process for an additional purpose when instructed to do so by the exporter or by the controller, as communicated by the exporter.
Transparency, Accuracy, Duration of Processing, Security of Processing, Sensitive Data and Onward Transfers: Importers here have more or less the same obligations under these principles as importers in Module Two, with the additional obligation of the exporter to communicate with the controller when necessary.
Documentation: The same documentation obligations for importers in Module Two apply to importers in Module Three, with the additional implementation of the exporter as a mediating force between the importer and the controller.
Use of Sub-Processors
This clause only applies to Modules Two and Three, where the importer is a processor. In these cases, the importer must seek written authorization from the controller before sub-contracting any of its processing activities. To the extent reasonable, the importer must provide a copy of the sub-processor agreement to the controller.
If the importer intends to replace or add any sub-processors after having received the controller’s authorization, it must inform the exporter and give them the opportunity to object to these changes. The importer is fully responsible for the sub-processors compliance and must inform the controller if the sub-processor fails to comply.
Module Four: Processor-to-Controller
In Module Four – a type of transfer banned under previous SCCs – the roles are reversed: the data is being transferred from a processor in the EU to a controller in a third-country. In this case, the exporter may only process the data on documented instructions from the importer, and must immediately inform the importer if it is unable to follow these instructions. After processing has ended, the importer must decide whether the exporter must delete all personal data on their behalf or return the data to them and delete existing copies.
Security of Processing
In any transfer, both parties must implement “appropriate technical and organizational measures to ensure the security of the personal data.” This includes protecting against breaches or other unlawful access, disclosure, loss, destruction or alteration of personal data.
When implementing safeguards, parties must assess the risks involved in processing, the costs of implementing safeguards and the nature, scope or purposes of processing. The clauses specifically encourage parties to consider encryption and pseudonymisation. Any personnel authorized by the exporter to access the personal data must be committed to a statutory obligation of confidentiality.
The exporter must assist the importer in their efforts to implement these safeguards. When discovering a data breach, the exporter must inform the importer without undue delay and assist the importer in addressing the breach.
Data Subject Rights
Depending on the module, there are different processes parties must adhere to when handling data rights inquiries from subjects under GDPR.
For Module One, the importer must deal with any inquiries from data subjects within a month at the latest. The importer must take all appropriate measures to handle these requests, clearly providing all necessary information in a clear, accessible format. Subjects have a right to:
Know whether their personal data is being processed
Obtain a copy of personal data related to them
Receive information on the recipients or categories of recipients of onward transfers involving their data, including the purposes of such transfers
Know how to lodge a complaint with a supervisory authority regarding a violation of the clauses
Rectify inaccurate data
Erase personal data that has been processed in violation of the SCCs
Withdraw consent from any processing activities
Object to and call for the end of any processing activities done for marketing purposes
For Modules Two and Three, the importer must notify the controller of any request it receives from a subject, only replying if authorized to do so by the controller. Importers must also assist the controller in fulfilling their obligations to respond to subject requests, implementing appropriate safeguards when necessary. In doing so, they must comply with any instructions from the exporter or the controller, as communicated by the exporter.
For Module Four, both parties are obliged to assist each other in any inquiries or requests made by subjects.
Liability
When the importer is a controller (Module One and Module Four), both parties are jointly liable for any damage they cause to each other or data subjects by a breach of the clauses, corresponding to each party’s responsibility for the damage.
When the importer is a processor (Module Two and Module Three), both parties are liable for any damage they cause to each other. However, if only one party is responsible for damage caused to a data subject and the other is not, that party is responsible for the damage.
How Should US Organizations Prepare?
Despite having over a year to transition, US organizations would be wise to take measures now in order to prepare for the new SCCs.
Most importantly, organizations should look at ongoing transfers of data in place and readjust the contract to adhere to these new clauses. In addition, they should implement the steps in place to conduct a risk assessment prior to a transfer that considers the nature of the transfer, the local laws and regulations of the third-country, and the third-party’s previous relationship with EU regulatory authorities.
Organizations would also do well to adapt internal data handling policies in order to comply with the EU’s standard of data protection, as well as training employees on the nuances of onward transfers from the EU. Safeguards and breach response plans should be reworked as well, if necessary.