Dear Clients and Friends,
If you have customers located in the European Union (“EU”), in 2018 you would have become very familiar with the General Data Protection Regulation ((EU) 2016/679) (commonly referred to as the “GDPR”). If there was a possibility that you would be receiving personal data from those customers, then you will also be familiar with the safeguards that need to be in place to ensure your compliance with the GDPR.
In what is arguably the most significant development since the GDPR came into force three years ago last month, the European Commission has issued new Standard Contractual Clauses (“SCCs”) for data transfers outside of the EU. To understand the significance of the new SCCs, let us begin with some background.
The GDPR clearly prohibits the transfer of personal data outside of the EU to another country unless certain conditions are met. The country must either be considered by the EU as having adequate data protection laws, or the contractual parties must put appropriate safeguards in place.
As the EU does not consider the U.S. to have adequate data protection laws, U.S. companies have been relying on the US-EU Privacy Shield to provide a mechanism to comply with the data protection requirements of the EU, when transferring personal data from the EU to the United States. Unfortunately, just last year, the European Court of Justice (“ECJ”) found the EU-US Privacy Shield to be invalid under the GDPR, as it failed to comply with the level of protection required.
Without the EU-US Privacy Shield to rely on, U.S. companies have since turned to what are known as the Standard Contractual Clauses. SCCs are data protection contractual clauses, approved by the European Commission over a decade ago, which provide for compliance with EU data protection laws.
Given the old version of the SCCs were approved and implemented pre-GDPR, they did not seamlessly match the requirements of the GDPR and hence new clauses were needed. The new SCCs now reflect the requirements of the GDPR and important aspects of the ECJ decision invalidating the EU-US Privacy Shield.
The new SCCs came into effect on June 27, 2021, and U.S. companies have until September 27, 2021 to incorporate the new SCCs into their contracts moving forward. The old SCCs will be valid in respect of contracts entered into pre-September 27, 2021, but only until December 2022, by which date, the new SCCs must be fully implemented, and the old SCCs will no longer be valid.
Therefore, if you currently have a Data Processing Agreement or Addendum that includes or references the old SCCs, it will need to be updated. Now is also a good time to review and update your privacy and data protection policies.
One final note: following Brexit, the new SCCs will not automatically apply for purposes of the UK GDPR; though, of course, the new SCCs will be highly influential for purposes of UK data protection law. The UK’s data supervisory authority, the ICO, is expected to issue and consult on their own version of the SCCs later this year.
CowanPerry PC is here to assist you as you work to ensure compliance with the GDPR. Attorneys Jim Cowan at jcowan@cowanperry.com / 540.443.2860 and Suzanne Pierce at spierce@cowanperry.com /540.400.8127 will be glad to assist you.