The European Commission’s release of updated standard contractual clauses and the European Data Protection Board’s recommendations on supplemental measures bring both welcome clarity and new challenges for companies transferring data from the European Union to the United States. On the positive side, the updated SCCs, which reflect the realities of the EU General Data Protection Regulation, are designed to be more flexible and their modular design makes them easier to use. They can be used for processor-to-processor and processor-to-controller transfers and include a “docking” provision that makes it possible for companies to join and exit group arrangements for data transfers. In the past, companies could not amend the clauses, and now they can customize them.
But the burdens imposed on companies — particularly small businesses — that wish to use the SCCs are significant. The additional obligations introduced by the SCCs and the recommendations are especially problematic in light of the Court of Justice of the European Union’s invalidation of the Privacy Shield as a mechanism to support data transfers. The recommendations state that for each instance of data transfer, controllers or processors acting as data exporters must verify on a case-by-case basis whether the law or practice of the third-country importer may compromise the effectiveness of the SCCs. When the data exporter determines the law or practice of the third country is not "essentially equivalent" to that of the EU, companies are expected to implement the supplemental measures to raise protections to the level required.
The supplemental measures recommended by the EDPB require companies to carry out a six-step process to ensure transfers comply with “Schrems II:”
- Map the data transfer, including onward transfers to sub-processors of personal data to third countries.
- Verify the tool the data transfer relies on. If there is an adequacy decision, monitor that it remains in place.
- Assess whether, in the context of the transfer under consideration, anything in the law and/or practices of the third country may have a negative impact on the effectiveness of the SCCs.
- Identify and adopt the supplemental measures needed to bring the level of protection of the data transferred to the standard of EU essential equivalence.
- Take any practical steps that adoption of supplementary measures may require.
- At appropriate intervals, reevaluate the level of protection afforded to the personal data transferred to third countries and monitor any changes in circumstances that may affect it.
The impact of these requirements on any company will be substantial, but small and medium-sized enterprises will be most affected. Companies with mature privacy programs and deep resources to devote to data protection compliance may find these new obligations challenging but are likely equipped with the expertise and staffing necessary to meet them.
Smaller companies, however, may lack the necessary legal expertise and staffing to carry out the risk analysis, documentation and monitoring articulated in recommendations. The burden on these companies is so significant that obligations imposed by the new SCCs and supplemental measures could question whether they can transfer data at all.
Data has been essential to global efforts to combat the COVID-19 pandemic and its economic fallout. As countries continue to restart their economies, the ability to move data will be essential to identifying and deploying ways to better control the spread of COVID-19 and its variants, mitigate the negative effects on individuals and communities, and rebuild commercial and industry sectors still struggling to return to normal. The requirements of the new SCCs and the supplemental measures could significantly impair the ability of companies of all sizes — and particularly smaller organizations — to move the data needed to address these critical problems.
The Biden Administration signaled the goal of reaching a political solution to the issues “Schrems II” raised that will ensure the robust flow of data between the EU and U.S.
While the Administration continues its efforts toward a solution, policymakers and regulators can take other measures to help companies, particularly small and medium sized businesses, that continue to rely on SCCs to transfer data.
- Provide clear, concise, practical advice tailored to the needs and circumstances of smaller companies about the measures smaller businesses should take to use SCCs in compliance with the GDPR. The U.K. Information Commissioner’s Office website, which advises companies about their obligations and provides examples designed to help businesses comply, can be instructive. By following the ICO’s model and distilling the EDPB’s advice into understandable, actionable steps, companies will be equipped to make knowledgeable decisions about their use of SCCs and reduce the need for legal counsel.
- Develop and provide smaller companies with information and advice about the nature of the risk they should assess when implementing SCCs and how that analysis should be carried out. While the practice of data protection and privacy risk assessment is a regular feature of emerging law, advice about the nature of the risk that should be evaluated is often not available. Clarity about the specific risks to be assessed when using SCCs would enhance companies’ ability to analyze the risk that arises from trans-Atlantic transfers of data and contribute to more accurate, effective risk assessment overall.
- Educate small companies in layman’s language about the scope of data at issue in the “Schrems II” case. If smaller organizations are better informed about what data transfers are subject to government surveillance, i.e., electronic transfer of data, as opposed to, for example, genetic data that may be derived from human tissue research samples, they will avoid investing resources in analyzing transfers where supplemental measures are not needed.
- Develop and provide for companies a practical guide to the kinds of data generally subject to government requests for access. A U.S. Department of Commerce, Department of Justice and the Office of the Director of National Intelligence joint white paper released September 2020, asserts “(m)ost U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies and have no grounds to believe they do. They are not engaged in data transfers that present the types of risks to privacy that appear to have concerned the (CJEU) in ‘Schrems II.'” Further, it states that companies whose EU operations involve ordinary commercial products or services and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer or sales records, would have little reason to believe U.S. intelligence agencies would seek access to that data.
Companies of all sizes would benefit from a trusted, more specific analysis of this important point. A clearer understanding of the kinds of data of interest to the intelligence agencies would contribute to a more accurate risk analysis of the kind proposed by the recommendations for supplemental measures.