The Deadline for EU Standard Contractual Clauses is Here, Are You Ready?

Today, September 27, 2021, marks the expiration of the prior version of the European Union’s Standard Contractual Clauses (“SCCs”). SCCs are one of the primary mechanisms for transferring personal data outside the EU in compliance with the General Data Protection Regulation (“GDPR”). (See O’Melveny’s June 16, 2021 client alert on the new SCCs.) Companies relying upon SCC’s to transfer personal data out of the EU will need to use the new version of the SCCs in any contracts entered into after September 27, 2021, and will need to transition all existing contracts to the new SCCs by December 27, 2022. This is no small undertaking, particularly as the new SCCs impose a number of additional obligations on companies. Below, we offer steps you can take to keep your company on track.

Choose Your Module and Options

Complying with the new SCCs requires more than just swapping out the old version for the new. The new SCCs offer greater coverage and flexibility, but require parties to document the module that reflects their relationship: Data Controller to Data Processor; Data Controller to Data Controller; Data Processor to Data Processer; Data Processor to Data Controller. They also require parties to choose among several optional provisions (Clauses 9, 11, 13, 17, and 18). An efficient way to address these issues, particularly where a company has a large number of contracts, is to adopt a default template (like the Data Controller to Data Processer module) that reflects the optional clauses likely to be most appropriate to the data processing.

In addition, the appendices to the new SCCs require additional information related to the nature of the data processing and the technical and organizational measures used to protect the data. Merely copying and pasting the information from the older version of the SCCs may be insufficient. Companies will need to devote time and resources to ensure that requirements in the new appendices are met and appropriately documented.

Schrems II Procedures and Surveillance Analysis

The new SCCs contain a number of provisions designed to address circumstances where a data recipient may be subject to “laws and practices” that permit public authorities to access data in a manner that may be inconsistent with “fundamental rights and freedoms.” Created with US surveillance authorities in mind, the new SCCs obligate the parties to analyze and document whether the country the data is being transferred to allows for impermissible government access under EU standards.

If companies have not done so already, they should conduct this analysis for data transfers and consider adopting a single analysis that could address all their contractual agreements. Companies should be mindful that their analyses must be made available to the competent supervisory authority upon request. In addition, companies should advise management of these new obligations and develop processes for compliance with other Schrems II-related obligations, including providing notice to the data exporter if a government data request is made and challenging the government data request “if there are grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity,” in other words, if the government request is of the kind that the EU has objected to previously.

Accounting for Brexit

Companies with agreements that provide for the transfer of personal data from the UK to the EU are in a difficult position as the UK Information Commissioner’s Office (“UK ICO”) has indicated that the new EU SCCs may not be used for personal data transfers out of the UK. Rather, the old versions of the SCCs should be used until such time that the UK updates its own provisions.

When the UK will issue updated provisions is unclear. On August 11, 2021, the UK ICO released a proposed draft of its international data transfer agreement (“IDTA”) for public comment. The provisions generally align with the principles of the new EU SCCs and offer a template addendum that companies can use in conjunction with the EU SCCs to lawfully transfer personal data from the UK. Unfortunately, the initial public consultation does not close until October 7, 2021, and there is no timeline for when the UK ICO will issue the final IDTA.

In the meantime, companies will have to modify contracts to account for both versions of the SCCs. Because older versions of the SCCs remain effective until December 27, 2022, companies with contracts that address data transfers from both the UK and the EU may want to delay updating their contracts until fall 2022, by which time the UK ICO will likely have released the final IDTA.

Conclusion

In addition to using the new SCCs in any future contracts that involve data transfers from the EU, companies should develop strategies to prioritize and update existing contracts that involve European personal data transfers. This will be particularly critical for contracts involving partners in member states with aggressive supervisory authorities, like France and Germany. December 2022 will be quickly upon us, do not delay.

Version of the SCCs Required for International Data Transfers