European Commission Revises Rules for International Data Transfers

On June 4, 2021, the European Commission adopted revisions to the Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States. Last updated in 2010, the new SCCs adopt a “modular” approach that is intended to better reflect the complexities of contemporary data use and transfer. The new SCCs are also intended to address the Court of Justice of the European Union’s (“CJEU”) opinion in Schrems II, which invalidated the EU-US Privacy Shield (“Privacy Shield”) as a transfer mechanism and called into question the validity of SCCs over concerns that United States intelligence laws allowed access to personal data without adequate notice or protections for European Union citizens.

The new SCCs will become effective June 27, 2021, and all new data transfers seeking to use SCCs after September 27, 2021 will need to use the new clauses. Data transfer agreements entered into prior to September 27, 2021 that rely upon the current version of the SCCs will remain valid until December 27, 2022, provided that the data processing operations pursuant to such an agreement remain unchanged. Companies should review existing contracts to determine if the new SCCs need to be incorporated, update their template data protection agreements to reflect the new SCCs, and be aware of the additional obligations the new SCCs impose.

Background

The General Data Protection Regulation (“GDPR”) prohibits the transfer of personal information outside the European Economic Area (“EEA”), unless the country to which the data is transferred has been determined by the European Commission to provide adequate safeguards for personal data. As the United States has not been determined to provide adequate safeguards, companies have had to rely on alternative mechanisms such as the Privacy Shield, SCCs, and Binding Corporate Rules.

As we have previously discussed, in July 2020 the CJEU struck down the Privacy Shield and indicated that “supplementary measures” may be needed to adequately protect personal data transferred by SCCs from access by Untied States intelligence and national security agencies. The final version of the SCCs is substantially the same to the draft that was released in November 2020 (see our prior alert here). As negotiations between the United States and the European Union on a replacement for the now defunct Privacy Shield continue with no end in sight, SCCs and Binding Corporate Rules remain the preferred mechanisms by which data can be lawfully transferred from the EEA to the United States.

Notable Features

Modular Approach. Rather than one-size-fits-all, the new SCCs adopt a modular approach with different clauses for: (1) controller to controller transfers; (2) controller to processor transfers; (3) processor to processor transfers; and (4) processor to controller transfers. This will allow parties to an agreement to better tailor the terms to the circumstances of their data transfer, and perhaps obviate disputes as to whether a party is acting as processor or controller.

Flexible Parties. The new SCCs also allow for greater flexibility in contracting arrangements. The prior version of the SCCs only contemplated bilateral contractual relationships, often creating tension in modern, complex, multi-party data processing arrangements. The new SCCs allow for multi-party agreements, and also allow an entity that is not a party to the initial agreement to accede to the clauses at any time, either as a data exporter or as a data importer.

Annexes. The new SCCs set out a series of revised annexes that parties to the agreement, as well as entities seeking to accede to the agreement, must complete. Annex I requires a list of the parties, a description of the transfer, and a description of the processing, including the categories of personal data transferred, the purpose of the processing, and the period for which the personal data will be retained. Annex II addresses the technical and organizational measures taken to ensure the security of the data. Annex III addresses the list of sub-processors.

Transparency Requirement. A significant development is the requirement that data subjects must be provided, free of charge, a copy of the clauses used in a data transfer agreement, including the appendices applicable to the specific arrangement. A business is allowed to redact portions of the clauses and appendices to protect business secrets or other confidential information, but must provide a “meaningful summary” to allow a data subject to exercise their rights and must also, upon request, provide the data subject a reason for the redactions. This may place significant pressure on businesses who have entered into a confidential or sensitive business arrangement, and would not want the existence of their arrangement to be publicly disclosed.

How do the New SCCs Address the Concerns Raised in Schrems II?

To address the concerns expressed in Schrems II, the new SCCs contain a number of provisions designed to address circumstances where a data recipient may be subject to “laws and practices” that permit public authorities to access data in a manner that may be inconsistent with fundamental rights and freedoms. For data transfer to the United States, this issue is created when entities in the United States receive a national security request for data—national security letter, subpoena, or Foreign Intelligence Surveillance Act (“FISA”) warrant—from the United States government. The SCCs have several provisions that attempt to address these issues.

• Assessment of the Likelihood of Government Access. The SCCs require parties to “warrant that they have no reason to believe” that data transferred subject to the SCCs would be subject to such government access. But the SCCs provide that this warrant is not limited to whether such access is possible under the laws of a particular country, but whether, “under the specific circumstances of the transfer” and “any relevant contractual, technical or organizational safeguards put in place[,]” there is a practical likelihood that such access will, in fact, take place. In making such an assessment, an organization can take into account “prior instances of request for disclosure from public authorities, or the absence of such requests.” Parties must document this internal assessment and make it available to the competent supervisory authority upon request.

• Notification Requirements. If a data importer has reason to believe it cannot meet the SCC requirements to protect the data, it must “promptly” notify the data exporter, who may identify appropriate measures to ensure the confidentiality of the personal data or suspend transfer of the personal data. The data exporter must also suspend transfer of the data if directed by the competent supervisory authority. In such circumstances, the data exporter would be entitled to terminate the underlying agreement.

• Government Requests. Where a data importer receives a legally binding request from the government, it must notify the data exporter and, where possible, the data subject. If the data importer is prohibited from providing notice, it must use its “best efforts to obtain a waiver of the prohibition” and document those efforts “in order to be able to demonstrate them on request of the data exporter.” In addition, the SCCs obligate the data importer “to review the legality of the request for disclosure” and challenge the request in court, including on appeal, if the data importer concludes “there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity.” The data importer is obligated to document its legal assessment and any challenge to the request for disclosure, and make it available to the data exporter and the competent supervisory authority, to the extent legally permissible.

For those entities that are likely to receive national security requests, these provisions are going to be difficult, if not impossible, to comply with. And it seems unlikely that companies will be inclined to conduct a legal assessment of how a disclosure request comports with international law obligations and principals of international comity, let alone share that confidential assessment with external parties. But for companies that have never received a request from US intelligence or national security agencies, the SCCs are likely to be a viable mechanism for data transfer to the United States.

Conclusion

In general, the new SCCs are a welcome development for companies engaging in transatlantic data transfers. They offer increased flexibility and mechanisms to address the central role that data plays in the modern economy. Companies engaging in transatlantic data transfers should update their contracts to reflect the new SCCs and take steps to modify and document internal procedures to comply with the SCCs’ new administrative requirements.

While the new SCCs are an improvement for many companies, they are likely insufficient for companies that receive FISA warrants or similar government requests, as they will be unable to comply with the warranty and notification provisions. These companies remain in limbo, and will need to carefully monitor statements and enforcement actions from European data protection authorities, as well as challenges from European privacy advocates, to understand the risk they are shouldering by conducting transatlantic data transfers.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Tod Cohen, an O'Melveny partner licensed to practice law in the District of Columbia, Randall W. Edwards, an O'Melveny partner licensed to practice law in California, Scott W. Pink, an O'Melveny special counsel licensed to practice law in California and Illinois, and John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.