Data Security

The new SCCs

As new technologies from outside the European Economic Area (“EEA”) become more prevalent, the collection of European personal data (name, images, email addresses, IP addresses, shopping habits, etc.) is becoming easier. Aware that personal data is a highly coveted asset whose misuse could be detrimental to individuals and their economic interests, the European Union reinforced its legal arsenal in 2018 with the General Data Protection Regulation (GDPR).

Already prior to the GDPR, the European Commission published in 2001[1] and 2010[2] Standard Contractual Clauses (SCCs) intended to regulate the transfer of personal data to countries outside the European Economic Area. In 2020, however, the adequacy of these clauses alone was challenged by the European Court of Justice’s decision in the Schrems II case.[3]  In this ruling, the Court of Justice struck down the Privacy Shield, one of the most widely used mechanisms for companies to transfer personal data between the EU and the US.[4]  This led to increased complexity concerning the mechanisms that exist to ensure the proper transfer of personal data to third countries.

One year later, on June 4, 2021, the European Commission provided an answer by issuing new standard contractual clauses to replace the old contractual transfer regime.[5]  This decision is consistent with the European Union’s desire to provide a solution to the uncertainty left by the Schrems II ruling, while updating safeguards to address the complexity of international transfers and the actors that may be involved. 

When transferring data outside the European Economic Area, the implementation of safeguards to preserve the level of protection of individuals provided by the GDPR is necessary. As a result, data transfers may only be directed to countries that have been granted an adequacy decision (such as Argentina, Japan, Israel, etc.) or by putting in place mechanisms that guarantee adequate protections, which include “standard contractual clauses”.[6] 

One of the objectives of the new SCCs is to ensure that data is protected from unauthorized access by public authorities.[7]  To this end, data exporters are required to conduct a prior assessment of the rules applicable in the importer’s country to ensure that the importer is able to comply with the standard contractual clauses.[8]  Where appropriate, exporters are also required to deploy additional technical and organizational measures (such as data encryption, pseudonymization, etc.) to guarantee a sufficient and adequate level of data protection as required by EU law.[9]

Today, almost 90% of companies (SMEs as well as companies with more than 250 employees) use SCCs to manage international transfers,[10] as it is a mechanism that can be put in place without the prior approval of national data authorities.[11]  However, with the advent of the new SCCs, these companies are confronted with a major challenge that is both time-consuming and costly. Since September 27, 2021, users are required to use the new SCCs, and they have until December 27, 2022, to replace all their existing SCCs. Exporters will then have to (i) choose the right module SCC; (ii) conduct a data transfer risk assessment of the data importer’s laws; and (iii) implement additional measures if necessary.

To address these complexities, SimplyClause offers a SaaS-based platform that enables various actors and professionals (management, lawyers, IT and DPOs) to comply with their data protection obligations, such as by assessing the risks of transfers to a third country,[12] producing templates and annexes for the new SCCs,[13] or producing forms that can be included in data processing registers.[14]

The services offered include:

(i)              drafting assistance for SCCs allowing users to identify the contracting parties and select the relevant module;

(ii)           creating ready-to-use company-specific SCC templates;

(iii)        third country risk assessment containing an analysis of the laws applicable to the data importer, including whether there are elements in the legislation or in the practices of the importer’s country that may compromise the application of the SCC;

(iv)         suggestions for additional organizational measures to be implemented by the importer to ensure, in combination with the safeguards provided by the SCC, that a sufficient level of protection required by European Union law is met;

(v)            facilitating collaboration between legal departments, DPOs and information security officers.

SimplyClause therefore stands out as an innovative tool that centralizes the resources and tools required to ensure the proper protection of personal data transfers. Currently, only transfers to the United States are targeted by SimplyClause (the United States being a primary destination for international transfers).  As part of its development, SimplyClause will expand its scope to streamline data transfers to other regions such as Asia and the Middle East.  

 


[1] 2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance.

[2] 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.

[3] ECJ, July 16, 2020, case. C-311/18, D. 2020. 2432.

[4] Id.

[5] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

[6] GDPR, art. 46, § 2, c.

[7] New SCC, clause 14.

[8] Id.

[9] Id.

[11] The transfer mechanisms outside the EEA provided for in Articles 46 and 47 of the GDPR [e.g. BCRs], involve the intervention of a supervisory authority or a third party.

[12] New SCC, clause 14.

[13] European Commission, dec. (EU) 2021/914, June 4, 2021, art. 4.

[14] GDPR, art. 30.