Time to switch your standard contractual clauses

It’s never been easy for businesses to operate across borders, but recent changes to data privacy regulations have raised the bar. It seems like businesses need to change their processes every few years.

When it comes to international data transfers between the EU and the US, regulations seem to be invalidated as quickly as they’re created. First, it was the Safe Harbor provision, then the Privacy Shield, and now, businesses are expected to implement new standard contractual clauses if they want to handle EU citizens’ data in the US.

In this blog, we’ll explain everything a business needs to know about the new standard contractual clauses as well as how to minimize your risk from EU data protection authorities.

What happened to the old standard contractual clauses?

In 2020, the European Court of Justice (CJEU) ruled in the Schrems II case in favor of privacy rights advocate Max Schrems and against Facebook Ireland.

In effect, the CJEU ruled that the mechanisms Facebook used to transfer data out of the EU and into the US were not valid. Specifically, the court ruled that the Privacy Shield was invalid and that the use of standard contractual clauses (SCCs) was often, but not always, invalid.

At the heart of the issue is US intelligence agencies’ ability to surveil data collected by US companies and the inability of EU citizens to seek legal redress against that surveillance.

The validity of the old SCCs was dependent upon their ability to effectively provide "a level of protection essentially equivalent to that guaranteed within the EU.” But it became clear that the old SCCs weren’t really well-configured to ensure that level of protection. They were cumbersome to tailor to individual organizations, accounted for only a subset of possible data flows, and lacked guidance on what to do when a government authority requested access.

So, on June 4, 2021, the European Commission released new SCCs. If you want to transfer data from the EU to the US compliantly, you’ll need to update your old contracts to feature the new SCCs.

When’s the deadline for switching to the new standard contractual clauses?

Updating contracts is a hassle, so there has been some flexibility about when companies need to have their contracts updated with the new SCCs. However, the grace period is about to run out. Businesses need to switch to the new SCCs by December 27th, 2022 — which is right around the corner.

What’s different about the new standard contractual clauses?

The new set of SCCs has a number of differences that make them easier to use and clearer about the practices necessary to keep businesses in compliance. This isn’t an exhaustive list, but it captures some of the more significant changes.

Modules to represent more data flows

The previous SCCs only accounted for controller-to-controller and controller-to-processor relationships when transferring data outside of the EU, but reality gets more complicated than that. To account for more complex data flow, the new SCCs include four modules that are as follows:

• Controller-to-controller
• Controller-to-processor
• Processor-to-processor
• Processor-to-controller

Multiparty and docking clauses

Before, the old SCCs didn’t have a really clear-cut way of allowing more than two parties to enter into an agreement with one another, or for new parties to join existing contracts. The new SCCs are better suited for multiple parties and feature a docking clause that enables new parties to be added over time.

A greater focus on the annexes

The older SCCs didn’t require as much information and detail in the annexes as the new SCCs. Now, the annexes must include much more information about the parties’ data practices. Not only does this force the parties to define their practices explicitly, but it also serves as a way to remind the parties of their responsibilities. The new annexes need to include information like:

• Descriptions of the exporters and importers
• Descriptions of the data transfer, such as categories of data to be transferred, the nature of processing, how long the data will be retained, and so on.
• The relevant supervisory authority
• The technical and organizational measures the business will take to secure the data, such as entry and access controls
• And more

A prohibition from use if you can’t comply

The new SCCs are, in part, a response to the outcome of the Schrems II case. That means the new SCCs feature more guidance about what to do when transferring data into a country with different data privacy laws and practices.

For example, the data importer and exporter need to conduct transfer impact assessments that take into account the nature of the data being transferred, the purpose of processing, and the laws of the country of destination, among other requirements. If the assessment should indicate that they won’t be able to meet the level of protection that the clauses require, then they are not allowed to use SCCs to justify their data transfer.

How do I implement the new standard contractual clauses?

It’s always going to be painful to repaper contracts. Customers might decide they don’t want to renew their contract, partners might seek to change the terms in their favor — essentially, you’re inviting chaos.

But that chaos pales in comparison to what you’ll experience if December rolls around and you’ve got a bundle of contracts that are about to become invalidated. Rushing to repaper your contracts won’t look good, and may encourage customers that are on the fence about their engagement with you to take their business elsewhere.

That’s why it’s important to 1) have a communication strategy and 2) prioritize your high-value customers and partnerships.

First, develop a plan for how you’re going to communicate with counter-parties. Make sure you explain the need for the change and that it isn’t going to modify the nature of your relationship. If you have SCC-inclusive contracts with vendors, partners, and the like, make sure that you clearly describe what they’re required to do in order for the new SCCs to be accurate and up to EU data protection authorities’ standards. This might include adopting certain security standards, for example, or recording certain data processing activities.

Next, make sure you spend extra time with those customers or partners that bring the most value to your organization. In a perfect world, you’ll be able to switch over with no fuss. But December is coming up, and we don’t live in a perfect world. It may be the case that you don’t have the time to be persuasive and strategic with everybody you have a contract with; if that’s the case, focus on the subset of customers and partners that bring the greatest value to you.

Can I rely on the new standard contractual clauses in the future?

The EU invalidated the Safe Harbor, the EU invalidated the Privacy Shield, the EU invalidated the old SCCs — what’s to stop them from invalidating the new SCCs?

The answer: nothing. This is just going to be an unsettled aspect of international data privacy for a while.

Fundamentally, the problem with international data transfers between the EU and the US is that US intelligence agencies have too much access to US company’s data. In the eyes of EU data protection authorities, there really isn’t any way for US companies to be compliant with the EU data privacy regulations; EU citizens’ data will always be exposed.

There is a bit of nuance to this, however.

The specific legal mechanism that the EU objects to is the use of the Foreign Intelligence Surveillance Act’s (FISA’s) Section 702. Under Section 702, US intelligence agencies can conduct searches of foreign communications, which includes EU citizens’ data. Section 702 lets intelligence agencies direct “electronic communication service providers” to hand over information related to foreign individuals. Electronic communication service providers include cloud service providers like Google and Amazon. For that reason, many cloud computing services have been under scrutiny in the EU. The use of Google Analytics, for example, is not legal in France or Austria.

But Section 702 also applies to what’s referred to as businesses that provide “electronic communication services,” which includes any service that provides users the ability to send electronic communications. This is a fairly broad and vague definition and could conceivably include any business that has a communication system in place, whether it’s an in-app messaging system or work email.

So what does this mean for businesses worried about the validity of SCCs?

Assuming you’re not a cloud service provider like Google or Amazon, you likely only have to worry about whether the US intelligence community considers you to provide electronic communication services, which, as we mentioned, is a very vague and broad category. For many businesses, it’s reasonable to assert that you aren’t an electronic communication services company and therefore aren’t subject to Section 702. US intelligence agencies might disagree, in which case you may find yourself unable to use SCCs to cover data imports from the EU.

Remember, as we stated above, the new SCCs do not cover data transfers if you believe you won’t be able to comply with your contractual obligations. If you know you’re subject to Section 702, you can’t comply with the requirements of the new SCCs.

It’s not a very satisfactory state of affairs, but it is what it is. It may be of some comfort to know that intelligence agencies aren’t issuing Section 702 notices left and right, so you may never have your ability to rely on SCCs tested. If you receive a notice, you may or may not be able to fight it — but that’s a discussion better left to your legal counsel.

To summarize:

• Most businesses can rely on SCCs when importing EU citizens’ data
• US intelligence agencies might try to argue a business is subject to Section 702, and therefore has to hand over EU data
• Whether a business is subject to Section 702 or not is debatable in many cases
• If a US intelligence agency issues you a Section 702 notice and you comply, you won’t be eligible to use SCCs and import EU data

Ultimately, until the EU and the US get on the same page about data privacy rights, there just won’t be a rock-solid way to transfer data out of the EU to the US. All businesses can do in the meantime is minimize their risk.

How Osano helps minimize risk

Osano can help you reduce your risk in a few ways. For one, we have EU-local attorneys to serve as your organization’s GDPR representatives — if you process EU citizens’ data, then the GDPR requires you to maintain a physical presence in the EU. We also provide Vendor Risk Monitoring services that can help you quickly identify vendors who comply with the GDPR, further reducing your risk. And our platform features a host of other compliance capabilities that serve to reduce your overall risk profile under data privacy laws, whether that’s the GDPR, CPRA, or any other.

To start reducing your GDPR non-compliance risk, just schedule a demo today.