The European Commission has released new standard contractual clauses (SCCs) for use when data is transferred from the European Union (EU) to the U.S. If you rely on SCCs to transfer personal data from the EU to the U.S., here’s a quick list of action steps that you need to take:
Identify all existing contracts using the old SCCs. All existing contracts utilizing SCCs must be updated by December 27, 2022. This may involve not only contracts with third parties, but also inter-company agreements that allow you to transfer data between different business units. You’ll need to get a handle on how big (or small) this project is so you can plan and staff the project appropriately. If you use subcontractors, you may want to prioritize your subcontractor agreements, because when you start using the new SCCs (which are required beginning September 27) with data exporters in the EU, you effectively will be representing that your subcontractors have also agreed to the terms in the new SCCs.
Identify all contracts currently under negotiation that involve transfers of personal data from the EU. If you can finalize the contract before September 27, 2021, you can complete it with the old SCCs (but you will still need to update the SCCs eventually ─ see step 5 below). If you’re not sure that the contract can be completed before September 27 (or you don’t want to revise it later), you should move now to the new SCCs (but see step 3 below). If you are currently negotiating with a subcontractor, you should consider switching immediately to the new SCCs.
As soon as possible, prepare schedules and an assessment regarding U.S. surveillance activities. The new SCCs have detailed schedules that need to be prepared, so you’ll probably want to draft some stock language that you’ll use as a starting point in these schedules, even if you’ll have to modify them for any specific agreement. The new SCCs also require an assessment of U.S. laws that may compromise your ability to protect data from the EU, including government access to the EU data under U.S. surveillance laws. Before you execute your first agreement using the new SCCs, you should document the required assessment (which may require a certification from senior management). You will also need an assessment from any vendors who process the EU data on your behalf. This step may prove to be the biggest bottleneck in the entire process.
Start using the new SCCs with all new contracts. The new SCCs must be used with any contracts executed after September 27, 2021, but you can start using them any time after June 27 (preferably not until you’ve completed the assessment discussed in step 3 above). Moreover, using the new SCCs means you won’t have to revisit the agreement to update it before December 27, 2022.
Before December 27, 2022, amend existing contracts that are using old SCCs. Although that’s 18 months away, updating your existing contracts will likely involve negotiation, which always takes some time. Even if you have only a few contracts to amend, another party to a particular contract may have hundreds or even thousands of contracts to update. This means that you may end up in a long line waiting to amend the agreement. Starting early gives you the best chance to complete this process by next December.
Warner can help! We routinely help businesses with data transfer issues. If you need help preparing or negotiating updated SCCs, please contact Kelly Hollingsworth, Norbert Kugele, Alexandra Haywood, Lexi Woods or any other member of Warner’s Cybersecurity and Privacy Practice Group.