At long last, the new standard contractual clause (SCCs) are here!

Since the adoption of the General Data Protection Regulation (GDPR), U.S. companies have invested a great deal of time and money in their compliance efforts; yet for many, their work is far from complete. For U.S. data importers, the July 2020 invalidation of the EU-U.S. Privacy Shield has left former “self-certified Shield” companies forced to find a new mechanism by which to lawfully transfer EU data into the U.S. Many of these companies will likely adopt the new set of standard contractual clauses (SCCs), once they are finalized by the European Commission.

As we reported last year, the invalidation of the EU-U.S. Privacy Shield on July 16, 2020 is forcing the hand of U.S. companies which access the personal data of EU residents to find a new, lawful mechanism by which to do so in accordance with EU data protection laws. One such alternative – the use of the EU’s standard contractual clauses (SCCs) (a/k/a “Model Clauses”) – was recently bolstered by much-needed proposed updates to the clauses themselves.

After years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16^th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.

Outside GC Member Stephan Grynwajc continues to keep a close eye on the fate of the EU-U.S. Privacy Shield data-sharing arrangement. 

The future of the EU-U.S. Privacy Shield data-sharing arrangement is shaky at best. On June 12, 2018, a resolution was passed by the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE) calling for the suspension of the Privacy Shield, unless the U.S. demonstrates full compliance with the requirements of the program by September 1, 2018. And today, following the recommendation of the LIBE, Parliament itself voted 303 to 223 (with 29 abstentions) in favor of suspension “unless the U.S. is fully compliant” by September 1st.

The European Parliament took this action in response to a number of recent data breaches affecting Privacy Shield Certified-U.S. companies, causing concern over the effectiveness of the regulatory oversight of the framework, as well as well as over the sufficiency of the Shield’s certification requirements which are designed to protect the personal data of EU residents. If suspended, certified U.S. companies will no longer be able to leverage the benefits afforded to them by the Privacy Shield, forcing them to find new compliance mechanisms by which to transfer data from the EU in order to satisfy the requirements of the GDPR.