There’s no question about it: For any member of the Internet industry on either side of the Atlantic, data transfer is currently a hot (and admittedly complex) topic. While it’s good to know that the U.S. and EU are continuing negotiations about a replacement for the Privacy Shield, and hope to reach a solution by the end of the year, there is a compelling need to know how the most important data transfers can now take place – and are likely to do so in the future.
With this in mind, on 24 September 2021, a transatlantic dialogue was jointly hosted by the European-based eco Association and the U.S.-based i2Coalition. This dialogue imparted a detailed insight into the transfer of personal data and data protection on both sides of the Atlantic. Here, a particular focus was applied to the implementation and impacts of the new set of Standard Contractual Clauses (SCCs), as approved by the European Commission in June 2021. Especially since the EU/U.S. Privacy Shield was invalidated in 2020, almost any company or individual wishing to transfer personal data from the EU to the U.S. or other third countries must currently rely on SCCs in order not to risk a violation of data protection law.
A helping hand for Standard Contractual Clauses
As Thomas Rickert, eco Director Names & Numbers noted at the dialogue, if a company is undertaking regular business with European partners or is targeting European individuals or businesses, there will generally be a need to comply with the EU’s General Data Protection Regulation (GDPR). In order to do so, SCCs are regarded as a very helpful tool. To provide a greater insight into these SCCs, eco Chair of the Board and Fieldfisher partner Oliver Süme highlighted the difference in the structure between the old and new set of SCCs. In Süme’s opinion, the “clear merit of the newer set is that of enhanced flexibility and openness”.
While the specific aspects of the SCCs can be quite complicated to take on board, help is in sight from a recommendation provided by the European Data Protection Board. The step-by-step approach recommended in this document is:
- Know your transfers.
- Verify the transfer tool that your transfer relies on (either SCCs, binding corporate rules or adequacy decisions).
- Assess third-country legislation relevant to Article 46 GDPR.
- Identify and adopt the supplementary measures.
- Take any formal procedural steps that might be required in order to implement those additional steps.
- Reassess everything after a certain period of time.
The perspective on the Standard Contractual Clauses in the U.S.
David Snead, Co-Founder and Policy Working Group Chair of i2Coalition, provided an overview on how SCCs are being viewed by businesses in the U.S. While initial relief was evident when the SCCs came out, Snead noted that “this has been tempered somewhat by the amount of detail that is required in addressing the SCCs”; as such, he is of the opinion that “the increasingly complex methods used to remedy a problem need to get solved at a political level”.
In homing in on the political context, the Senior Policy Adviser at i2Coalition, Ann Morton, described the policy approach to privacy in the U.S. as “still evolving and not fully formed”. While she sees that there is sentiment within the U.S. government to try to come up with practical, implementable solutions to consumer data privacy, she concluded that there is still a difficult road ahead to pass a comprehensive federal privacy bill, with this making the SCCs so important in the interim.
When it comes to the Privacy Shield negotiations, Ann Morton believes that “the U.S. and EU will work diligently to reach a practical solution, given that they are in line with each other on human rights and other key cultural values”. Ultimately, resolving this issue is important for sustaining robust transatlantic trade.
For a more in-depth insight into the transatlantic dialogue on data transfer and SCCs, read the full report here.