Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

Minneapolis

New York

Washington, D.C.

On June 4, the European Commission adopted new Standard Contractual Clauses (SCCs) to enable organizations to transfer personal data outside the European Union (EU) in accordance with the General Data Protection Regulation (GDPR). The new SCCs are intended to address the complex data processing issues that impact modern businesses, and they impose several novel obligations on organizations. Importantly, the new SCCs address situations where the U.S. government (and other non-EU authorities) request access to personal data, which was the core issue presented in the recent <a href="https://www.thompsonhine.com/publications/european-court-invalidates-privacy-shield-upholds-model-clauses-for-now">Schrems II</a> decision.

contentpilot/introduction

In order to comply with the GDPR and SCCs, organizations should consider undertaking the following:

core/paragraph

core/list

The existing SCCs will be repealed in three months, and, at that juncture, organizations cannot rely on them for new personal data transfers. In the event organizations have executed agreements that incorporate the existing SCCs, those agreements will remain valid for 18 months.

core/heading

The existing SCCs address two data transfer frameworks (i) controller-to-controller (C2C) and (ii) controller-to-processor (C2P). The new SCCs continue to address both the C2C and C2P transfers and add two new frameworks (iii) processor-to-processor (P2P) and (iv) processor-to-controller (P2C) transfers. In turn, organizations subject to the GDPR are required to select the data transfer “Module” most applicable to their business model. Although many of the provisions within the new SCCs mirror the requirements set forth in Article 28 of the GDPR (e.g., the parties must define the nature and scope of data processing, provide certain types of assistance to better ensure data protection compliance), they also create new data processing obligations that parties may find burdensome. Organizations are permitted to incorporate additional contractual provisions into the SCCs, provided, however, they do not contradict the terms, conditions and rights set forth in the new SCCs.

Although the SCCs will not automatically be applicable with respect to data transfers from the UK, the Information Commissioner’s Office indicated that it will adopt a similar set of data transfer clauses for UK transfers.

Third-Party Rights, Dispute Resolution and Liability

The SCCs furnish data subjects the right, with some exceptions, to invoke and enforce the SCCs as third-party beneficiaries against the data exporter and/or data importer. In addition, data importers are specifically required to inform data subjects in a transparent and easily accessible format (e.g., individual notice, website postings) of a point-of-contact responsible for addressing data subject complaints. The SCCs provide an optional provision wherein the data importer would agree to allowing data subjects to lodge complaints with an independent dispute resolution body, provided the body is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

A party that breaches its obligations under the new SCCs is liable to the non-breaching party for damages the latter incurs. The different Modules (i.e., C2C, C2P, P2P and P2C) set forth requirements regarding (i) the scope of damages a party may recover in the event of a breach, (ii) joint and severable liability, and (iii) when a party can “claim back” compensation corresponding to its damages proffered in response to a claim.

The new SCCs address the Schrems II decision with respect to government access requests and therefore will help organizations to more uniformly comply in this area. In fact, Section III of the new SCCs (Local Laws and Obligations in Case of Access by Public Authorities) applies to the C2C, C2P and P2P Modules, and the P2C Module where the EU processor combines personal data received from the third country-controller with personal data collected by the processor in the EU. The new SCCs require each party to warrant that they “have no reason to believe” that the laws of the importing country, including any legal requirements furnishing public authorities with the right to access personal data, would “prevent the data importer from fulfilling its obligations” under the new SCCs. In order to make this warranty, the SCCs indicate that the parties should assess the specific circumstances of the transfer, including:

In addition to the foregoing, the SCCs provide that the parties should assess (i) the importing country’s laws, including the context in which they furnish public authorities rights to access personal data, and (ii) any supplemental contractual, technical or organizational safeguards relevant to the transfer (e.g., measures applied during transmission and to the processing of the personal data in the country of destination). The parties must document and retain these assessments and provide them to supervisory authorities upon request. The SCCs create additional obligations and processes (i) in the event a party can no longer comply with its warranty, (ii) if a party receives a government access request, and (iii) for issuing transparency reports.

Given the substantial number of ransomware attacks and data breaches impacting the business community, it is not surprising that the SCCs focus on information security practices. Like its C2P predecessor, the new SCCs delineate the circumstances in which the parties need to document their technical and organizational security in Annex II. However, the new SCCs emphasize that these measures must be described with specificity and not in “generic” terms. In addition to listing the security controls already found in Article 32 of the GDPR, the new SCCs provide the following examples of potentially applicable technical and organizational security measures the parties must implement and maintain:

Although the SCCs emphasize the potential for including any relevant third-party certifications as part of the SCCs, such security certifications and assurances are only one part of the security process and is not a substitute for a party’s broader diligence obligations.

Clause 9 of the SCCs (Use of Sub-processors) sets forth a framework for employing sub-processors that is similar to Article 28 of the GDPR. For instance, when a data importer engages a sub-processor pursuant to either the C2P or P2P Modules, the (i) parties may agree to the use of specific, prior authorization of each sub-processors or a general written authorization, and (ii) the data importer must remain fully responsible to the data exporter for the sub-processor’s acts or omissions. For the C2P and P2P Modules, the parties must complete Annex III of the SCCs, which delineates the list of approved sub-processors.

Organizations may have to adopt new policies and procedures to comply with the SCCs. For instance, organizations should consider implementing and maintaining a formal government access request policy so they can both efficiently and effectively respond to such requests and comply with the provisions within the SCCs regulating the same. Similarly, they should consider publishing, quarterly, bi-annually, or annually, a transparency report describing how many (if any) government access requests they receive during the applicable time period. However, organizations should not only be prepared to draft and adopt new policies and procedures to comply with the new SCCs, but also ensure they are continuously monitored and evaluated to demonstrate on-going compliance.

Steven G. Stransky 216.566.5646 202.263.4126 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a> Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)

Elizabeth H. Blattner 937.443.6826 <a href="mailto:Elizabeth.Blattner@ThompsonHine.com">Elizabeth.Blattner@ThompsonHine.com</a>

Jennifer N. Elleman 937.443.6927 <a href="mailto:Jennifer.Elleman@ThompsonHine.com">Jennifer.Elleman@ThompsonHine.com</a>

Thomas F. Zych 216.566.5605 <a href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

or any member of our <a href="https://www.thompsonhine.com/services/privacy-and-cybersecurity">Privacy &amp; Cybersecurity</a> group.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_EU_Approves_New_Standard_Contractual_Clauses_for_Cross-Border_Data_Transfers_-_June_2021.pdf

EU Approves New Standard Contractual Clauses for Cross-Border Data Transfers

Services