Privacy Post-Schrems II - First of a Four-Part Series on Compliance with EU Privacy Laws Using Standard Contractual Clauses
October 7, 2020
By: Jason L. Ott, Matthew F. Chase, and Derrick L. Maultsby Jr.
The Schrems II case has had substantial impact on personal data transfers from the European Union (the “EU”) to the United States. As Jackson Kelly explained previously, the Schrems II case: 1) upheld the validity of standard contractual clauses (“SCCs”) for the transfer of personal data to recipients established in third countries; but 2) invalidated the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework.1 Given the new significance of SCCs, Jackson Kelly is authoring a blog series exploring what SCCs are, the main U.S. legal considerations needed for SCCs, and the various SCCs provisions that would help with compliance with EU privacy law, including the General Data Protection Regulation (the “GDPR”), in light of the Schrems II case. This first installment highlights what SCCs are, the dynamic between parties to a contract involving SCCs, and the role of supervisory authorities.
SCCs are provisions in a contract through which a data exporter in the EU and a data importer established outside the EU or European Economic Area agree to comply with EU privacy law and defer to the supervision of an EU supervisory authority.2 The European Commission, the EU’s politically independent executive arm, ruled that various sets of SCCs ensure an “adequate” level of protection for personal data transfers in compliance with EU privacy law. These “adequacy” decisions determined that those mechanisms implemented “appropriate safeguards,” “enforceable data subject rights,” and “effective legal remedies for data subjects” in compliance with EU privacy law.3 Specific SCC provisions ensuring this “adequacy” include: 1) parties to the contract being required to respond promptly and properly to reasonable inquiries by appropriate parties; and 2) data subjects being treated as third-party beneficiaries. Also, SCCs should incorporate fundamental data protection principles such as purpose limitation, restrictions on onward transfers, and security and confidentiality.
The various sets of SCCs that the European Commission ruled ensure “adequate” levels of data protection were based on two types of party setups to a contract: 1) controller-to-controller contracts; and 2) controller-to-processor contracts.4 The controller is a party that determines the purpose and means of the processing of the personal data, while the data processor is the party that actually processes the personal data (to which the controller might assign that task).5 Although these two types of contracts can incorporate similar SCC provisions, SCC provisions can allocate different roles and responsibilities to one or the other of them. For example, an important SCC provision that should be included in controller-to-processor contracts is the data exporter being liable for the data importer’s ability to satisfy its legal obligations. This concept of controlling and assigning liability to one party or the other is essential for data controllers and processors to focus on in every contract.
As mentioned above, “adequate” SCCs include the parties’ deferral to the supervision of an EU supervisory authority. Supervisory authorities are independent public authorities established by Member States of the EU which are responsible for monitoring the application of the GDPR, including ensuring the “adequacy” of personal data transfers.6 Those authorities have the powers to investigate data subject complaints, impose administrative fines, and prohibit or suspend data flows.7 These supervisory authority investigative and enforcement powers should be incorporated into SCCs. Also, it is important for U.S. companies to determine based on their individual circumstances: 1) which supervisory authority or authorities should be designated to monitor its personal data transfers; and 2) if multiple supervisory authorities should be designated to monitor its personal data transfers, which supervisory authority should be designated as the “lead” supervisory authority.
Given the ever-changing landscape of privacy and cybersecurity law both in the U.S. and around the world, it is important to keep up with the latest legal and technical developments. Jackson Kelly dedicates itself to providing proper guidance to its clients to maintain compliance with various laws and regulations, specifically including those that affect local and international personal data transfers. Please feel free to reach out to us at any time if you need help with navigating these new thresholds.
1 Matthew F. Chase, Jason L. Ott, and Derrick L. Maultsby, Jr., “Schrems II”: A Second Wave of Impacts Across the EU-U.S. Privacy Landscape (October 2, 2020), https://www.jacksonkelly.com/the-legal-brief-blog/schrems-ii-%C2%A0a-second-wave-of-impacts-across-the-eu-us-privacy-landscape.
2 Standard Contractual Clauses (SCC) (October 2, 2020), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
3 Article 46 of the GDPR.
4 Standard Contractual Clauses (SCC) (October 2, 2020), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
5 European Data Protection Supervisor, Data Protection, Glossary, D, Data controller (October 2, 2020), https://edps.europa.eu/node/3099#data_controller.
6 Article 51(1) of the GDPR.
7 Articles 57, 58, and 83 of the GDPR.