Out With The Old, In With The New SCCs – Privacy | #itsecurity | #infosec | #education | #technology | #infosec

As of September 27, 2021, the European Commission requires
controllers and processors to rely on the recently updated Standard Contractual
Clauses (SCCs) for
any new contracts governing personal
data transfers from the EEA. (Existing contracts can continue to
use old SCCs until December 27, 2022.)  This post provides an
overview of what’s in the new SCCs and how they compare to the
old clauses they replace.

The Need for New Standard Clauses.  Like
the old SCCs, the new SCCs are model data
transfer provisions designed to provide an “adequate”
level of data protection in countries that have not received an
adequacy determination (“third countries”).

A lot has changed, however, since the European Commission
developed the old SCCs; and the SCCs were due for an update. 
The old SCCs were based on the GDPR’s predecessor, the Data Protection Directive
95/46/EC, and only addressed controller-to-controller transfers
(issued in 2001) and controller-to-processor transfers (2010),
respectively. The previous SCCs did not cover
processor-to-processor transfers or processor-to-controller
transfers, and gave limited choices for governing law and venue to
resolve disputes, among other limitations.

In the intervening years, data transfers have increased in
complexity and volume. The GDPR imposes its more comprehensive
obligations on controllers and processors. And the Schrems
 decision, which invalidated the EU-US Privacy Shield,
requires analysis of surveillance practices and other conditions in
third countries such as the United States.

Key Changes.  The new SCCs apply to a more
complete range of data relationships and are divided into four
different modules:

  • (Module 1) controller to controller;
  • (Module 2) controller to processor;
  • (Module 3) processor to sub-processor; and,
  • (Module 4) processor to controller.

These modules are covered by a single draft of the SCCs (unlike
the old SCCs, which were issued in two separate decisions, which
were a source of much confusion).

The new SCCs more closely mirror the GDPR’s requirements and
address important issues raised in the Schrems
 ruling. Schrems II focused on the
potential harm to EEA data subjects whose information was
transferred outside of the EEA and could be accessed by
third-country authorities in bulk and without sufficient
safeguards. The European Commission included several contractual
terms in the new SCCs to address these concerns, such as:

  • Clause 14: Parties provide contractual
    warranties regarding protections for personal data in cases of
    access by authorities;
  • Clause 15: Data importer agrees to
    further obligations in cases of a request for disclosure by
    authorities, including to notify the data exporter, review the
    legality of the request for disclosure, appeal if the request is
    unlawful under international law, and provide the minimum
    information possible to a request;
  • Annex II: SCCs provide an opportunity to
    list all supplemental technical and organizational measures used to
    protect personal data.

What About the UK?  It is important to
note—since the UK recently left the EU and the transition
period for its withdrawal expired at the end of 2020—the SCCs
do not automatically apply to the UK GDPR. However,
the Schrems II decision does apply to UK law
because it was handed down in 2020 during the Brexit transition
period. The UK Information Commissioner’s Office (ICO) is
expected to come out with guidance in the coming
months for revisions to the SCCs under the UK GDPR that incorporate
the Schrems II provisions.

Practical Impact.  Any contracts that were
finalized prior to September 27, 2021 can continue to rely on the
old SCCs until December 27, 2022 as long as the data processing
obligations remain unchanged.

It would be worthwhile for data importers to take stock of their
data collection practices and review their responsibilities under
the new SCCs. This is a good time for companies to determine
whether their DPAs have terms that are inconsistent with the new
SCCs and, if they do, to resolve those inconsistencies. For
companies that have global DPAs, an SCC-driven review presents a
good opportunity to update the DPA to account for new contract
requirements from the CPRA, VCDPA, and ColoPA. For example, the CPRA
requires third party contracts to include provisions limiting
personal information sales to specified purposes. Both VCDPA and
ColoPA require controllers to have contracts with specific
instructions on how the processors must process data such as the
type and duration of processing.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link