One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)
Given these concerns, it has long been anticipated that the EU Commission would revisit and revise the clauses. It has done so, and is seeking comment on modifications to the clauses. Unlike the current SCCs, of which there are a few (including for transfers between two controllers, and transfers from controllers to processors), the new version has a variety of different provisions that the parties can select based on their respective roles (controller, processor). The updated clauses also take into account GDPR-required content, like data minimization and security. They also contemplate more thoroughly “onward transfers” of information, and allow for more parties to be signatories than under the current scheme.
Interested parties have until 10 December 2020 to comment on the draft. It is anticipated that a vote will be made on the clauses by the EU early next year, and they will be adopted shortly thereafter. There would then be a one-year grace period to allow companies to switch over from the current set of clauses to the new ones. The caveat, though, is that companies must use “necessary supplemental measures” to ensure that data is adequately protected. The EU is also seeking comment on controller-processor standard clauses to address general GDPR requirements (in Data Protection Agreements) when data is not being transferred out of the EU.
Putting it Into Practice: Until the new clauses are implemented, companies transferring data between the EU and the US will need to rely on current measures, which include the current set of SCCs, and keep in mind the EDPB’s cautions around “supplementary measures” needed for protecting outbound data. While there is time before any new clauses come into effect, in anticipation of the new clauses, we expect EU companies transferring data will likely be auditing and mapping the data they transfer.