As of September 27, 2021, the European Commission requires controllers and processors to rely on the recently updated Standard Contractual Clauses (SCCs) for any new contracts governing personal data transfers from the EEA. (Existing contracts can continue to use old SCCs until December 27, 2022.)  This post provides an overview of what’s in the new SCCs and how they compare to the old clauses they replace.

The Need for New Standard Clauses.  Like the old SCCs, the new SCCs are model data transfer provisions designed to provide an “adequate” level of data protection in countries that have not received an adequacy determination (“third countries”).

A lot has changed, however, since the European Commission developed the old SCCs; and the SCCs were due for an update.  The old SCCs were based on the GDPR’s predecessor, the Data Protection Directive 95/46/EC, and only addressed controller-to-controller transfers (issued in 2001) and controller-to-processor transfers (2010), respectively. The previous SCCs did not cover processor-to-processor transfers or processor-to-controller transfers, and gave limited choices for governing law and venue to resolve disputes, among other limitations.

In the intervening years, data transfers have increased in complexity and volume. The GDPR imposes its more comprehensive obligations on controllers and processors. And the Schrems II decision, which invalidated the EU-US Privacy Shield, requires analysis of surveillance practices and other conditions in third countries such as the United States.

Key Changes.  The new SCCs apply to a more complete range of data relationships and are divided into four different modules:

  • (Module 1) controller to controller;
  • (Module 2) controller to processor;
  • (Module 3) processor to sub-processor; and,
  • (Module 4) processor to controller.

These modules are covered by a single draft of the SCCs (unlike the old SCCs, which were issued in two separate decisions, which were a source of much confusion).

The new SCCs more closely mirror the GDPR’s requirements and address important issues raised in the Schrems II ruling. Schrems II focused on the potential harm to EEA data subjects whose information was transferred outside of the EEA and could be accessed by third-country authorities in bulk and without sufficient safeguards. The European Commission included several contractual terms in the new SCCs to address these concerns, such as:

  • Clause 14: Parties provide contractual warranties regarding protections for personal data in cases of access by authorities;
  • Clause 15: Data importer agrees to further obligations in cases of a request for disclosure by authorities, including to notify the data exporter, review the legality of the request for disclosure, appeal if the request is unlawful under international law, and provide the minimum information possible to a request;
  • Annex II: SCCs provide an opportunity to list all supplemental technical and organizational measures used to protect personal data.

What About the UK?  It is important to note—since the UK recently left the EU and the transition period for its withdrawal expired at the end of 2020—the SCCs do not automatically apply to the UK GDPR. However, the Schrems II decision does apply to UK law because it was handed down in 2020 during the Brexit transition period. The UK Information Commissioner’s Office (ICO) is expected to come out with guidance in the coming months for revisions to the SCCs under the UK GDPR that incorporate the Schrems II provisions.

Practical Impact.  Any contracts that were finalized prior to September 27, 2021 can continue to rely on the old SCCs until December 27, 2022 as long as the data processing obligations remain unchanged.

It would be worthwhile for data importers to take stock of their data collection practices and review their responsibilities under the new SCCs. This is a good time for companies to determine whether their DPAs have terms that are inconsistent with the new SCCs and, if they do, to resolve those inconsistencies. For companies that have global DPAs, an SCC-driven review presents a good opportunity to update the DPA to account for new contract requirements from the CPRA, VCDPA, and ColoPA. For example, the CPRA requires third party contracts to include provisions limiting personal information sales to specified purposes. Both VCDPA and ColoPA require controllers to have contracts with specific instructions on how the processors must process data such as the type and duration of processing.

On July 16, the European Court of Justice (CJEU) issued a highly-anticipated decision evaluating the validity of two popular mechanisms for transferring personal data from the EU to the United States: Privacy Shield and Standard Contractual Clauses (SCCs). The Court struck down Privacy Shield, but upheld the validity of SCCs – although not without providing a reminder about company responsibilities when implementing them.

As brief background, the EU General Data Protection Regulation (GDPR) requires that businesses have in place mechanisms that ensure an adequate level of protection for EU data subject personal data transferred to the United States. Until July 16, the available transfer mechanisms were Privacy Shield, SCCs, and Binding Corporate Rules. This case arose from a complaint, filed by Austrian privacy activist Max Schrems, with the Irish Data Protection Commission (DPC). Schrems alleged that the transfer of EU personal data to the U.S. via SCCs did not ensure an adequate level of protection (and therefore violated EU data subject rights) because U.S. law enforcement and government agencies were provided essentially unrestricted access to that data. The DPC then referred to the CJEU 11 questions about whether SCCs and Privacy Shield violate EU data subject rights, including the rights to the protection of personal data, under the Charter of Fundamental Rights of the EU.

Schrems had followed the same process in 2015, and in that decision, the CJEU agreed with Schrems, holding that the data transfer framework that existed at that time (Safe Harbor) did not provide protection equivalent to that afforded within the EU, and therefore did not meet the adequacy standards for international transfers. As a result, the EU Commission agreed to replace Safe Harbor with Privacy Shield, which currently has over 5,000 participants. Most companies, including Facebook, switched to SCCs after that decision.

As the CJEU explains in the decision issued on July 16, although Privacy Shield provides an adequate level of protection for data transferred thereunder, it allows derogation from those protections “to the extent necessary to meet national security, public interest, or law enforcement requirements” and therefore “cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter [of Fundamental Rights].” As a result, Privacy Shield is invalid, effective immediately. The CJEU upheld SCCs as a valid transfer mechanism, but reiterated that companies cannot simply sign the SCCs and be done with them. Rather, they have an obligation to ensure that their privacy and security practices are in compliance with the requirements within the SCCs, and should therefore be sensitive to sharing any EU personal data with U.S. law enforcement and government agencies.

An appeal is possible, and could result in a different outcome, but Schrems is pleased with the CJEU decision. In the meantime, please reach out for any assistance implementing, or confirming that your practices are in compliance with, SCCs.

The European Union (EU) is preparing to treat the United Kingdom (UK) as a third country after its withdrawal from the bloc, commonly known as Brexit.  Unless a deal is agreed before 29 March 2019, the UK’s trade with the EU will be heavily impacted by regulatory restrictions, increased costs, and lengthier procedures applicable to the movements of people, goods and services.  Less obvious is the impact on trade of the “no deal” scenario from potentially restricted data flows. With only eight months left until Brexit Day, the UK and EU have yet to start talks on a data protection agreement.

Data flows play an increasingly important part in international trade and are estimated to contribute up to 2.8 trillion USD to the world economy.  In 2016 alone, EU services reliant on data exported to the UK, such as finance, telecoms and entertainment, were worth approximately 36 billion EUR. Data flows from the UK to the EU constitute as much as three-quarters of all data from the UK. Under the EU’s General Data Protection Regulation (GDPR), however, personal data included in such data flows must be protected. For companies, this can include employee data (e.g. payroll information, biographical information, etc.) and customer data (e.g., contact information, transaction information, biographical information, social media profiles, etc.). Data flows from the EU to a third country are permitted if there is an adequacy decision by the European Commission that the third country’s data protection laws are adequate to meet the objectives of the GDPR or through another adequacy mechanism approved by the European Commission (e.g., EU-approved Binding Corporate Rules, use of Standard Contractual Clauses, etc.). Continue Reading No Post-Brexit Arrangement on Data Protection Will Affect UK-EU Trade

Last Tuesday, February 2, 2016, the European Commission announced that it approved the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement with the U.S. Department of Commerce establishing a new framework for transatlantic data flows. Although the full text and details of Privacy Shield have not been released, the new framework is expected to replace the now defunct Safe Harbor, providing 4,400 Safe Harbor-certified companies with greater certainty about data transfers from Europe to the US.

Here’s what you need to know:

Elements of Privacy Shield

European Commission Vice-President Ansip and Commissioner Jourová are charged with preparing a draft “adequacy decision” that will include at least the following three elements:

  1. Robust enforcement and strong obligations on companies handling Europeans’ personal data: U.S. companies will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.  The Department of Commerce will monitor whether companies publish their commitments and the US. Federal Trade Commission will manage enforcement. Any company handling human resources data from Europe will have to commit to comply with decisions by European Data Protection Authorities (DPAs).
  2. Clear safeguards and transparency obligations on U.S. government access: The U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
  3. Effective protection of EU citizens’ rights with several redress possibilities: Citizens who believe that their data has been misused will have several redress possibilities under the new arrangement. Companies will have deadlines to reply to complaints and European DPAs will be able to refer complaints to the Department of Commerce and the Federal Trade Commission. Alternative Dispute resolution will be free of charge. A new and independent Ombudsperson will manage citizen complaints regarding possible access by national intelligence authorities.

Has Privacy Shield Replaced Safe Harbor?

No. Although the announcement of a renewed commitment between the U.S. and EU is promising, Privacy Shield has several procedural hurdles to overcome before adoption and, even then, may still be challenged in European courts. The post-Schrems decision regulatory framework for transatlantic data transfer remains unchanged and uncertain.  Put simply:

  1. Safe Harbor is invalid and any data transfers that rely on this mechanism violate EU law
  2. Binding corporate rules, standard contractual clauses, and ad hoc contracts or intra-group data transfer agreements continue to be valid mechanisms for transatlantic data transfers

Early this week, Commissioner Jourová announced that the Privacy Shield text will be unveiled in the second half of February. The Article 29 Working Party, whose primary objectives include providing expert opinions on questions of data protection from the member state level to the European Commission, will advise the Commission on the adequacy decision and is expected to weigh in on the text by the end of March.

For our part, we will continue to monitor developments as they unfold and will provide a more detailed analysis of the Privacy Shield agreement once it has been released to the public.

This past Friday, the European Commission (“the Commission”) issued guidance addressing transatlantic data transfers after the European Court of Justice (“ECJ”) decision in the Schrems case. As we noted in an earlier post, the ECJ Schrems decision invalidated the U.S.-EU Safe Harbor framework, the mechanism that enabled self-certifying corporations to transfer personal data from EU countries to the United States. The Commission’s recent guidance sets forth its top priorities and identifies viable and available transfer mechanisms for companies now that Safe Harbor is no longer valid.

Key takeaways from the guidance include:

  • The Commission will continue to work with data protection authorities to ensure uniform application of the Schrems ruling
  • The Commission will continue to work in earnest to negotiate a safer and more comprehensive framework for future transatlantic data transfers
  • The guidance identifies standard contractual clauses and Binding Corporate Rules as viable temporary alternative transfer mechanisms
  • The guidance notes that data protection rules provide for certain exemptions, which may permit the transfer of data in specific circumstances

The Commission’s guidance should be somewhat reassuring for companies impacted by the recent Safe Harbor ruling and concerned by recent posturing of national data protection authorities. For example, this past October Germany’s Data Protection Authorities (which includes the federal DPA and 16 state DPAs) issued a 14-point position paper addressing transfer mechanisms post-Safe Harbor and suspending Binding Corporate Rules approvals and ad hoc export agreements to the US for the foreseeable future.The Commission’s guidance suggests that the Commission recognizes the urgency for a new Safe Harbor, which the EU and US are working to try and achieve by early 2016. We will continue to provide further updates as we follow these developments.

An exchange of views between the European Parliament and Mrs. Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, revealed ongoing negotiations between the Commission and the U.S. Department of Commerce for a revised Safe Harbour agreement to allow data from the European Union to be processed in the U.S.  The exchange took place at a meeting of the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs Committee in Strasbourg on Monday, 26 October.

Mrs. Jourová informed the Parliament that a Working Party comprising the European Data Protection Authorities (DPAs), convened to discuss the ECJ ruling and a revised Safe Harbour, had confirmed the continuing availability of other tools allowing for data transfer and processing, including standard contractual clauses and binding corporate rules. She noted, however, that the DPAs were in the process of evaluating the potential impact of the Schrems judgement on those other tools.  The Commission will publish an explanatory communication concerning the Schrems judgement shortly.   The Commissioner asked for the Parliament’s support in convincing Washington to provide greater security under a revised Safe Harbour that would move from a self-regulated approach to more oversight through regulatory controls, back up by enforcement and sanctions provisions.

In response to questions by European Parliamentarians, Mrs. Jourová stressed that the ongoing discussions with Washington were unrelated to and did not impact the position of the Commission on TTIP, as data protection is not part of that negotiation. When asked whether a revised Safe Harbour would require changes in U.S. legislation, timeframes, and how the Commission intended to deal with the transitional period, the Commissioner responded that better controls would include more precise descriptions of the limitations under which intelligence agencies would have access to data and, among other things, annual reviews conducted by state authorities.    Mrs. Jourová also indicated that the Commission was continuing to work on an urgent basis on a data protection reform package that would safeguard fundamental rights while creating greater legal certainty by replacing the differing approaches of the 28 Member States.

The European Commission will meet with U.S. authorities in mid-November and will report back to the European Parliament on 10 December. Mrs. Jourová stated that if a solution is not found for a revised Safe Harbour with U.S. authorities by the end of January 2016, the DPAs of the EU Member States would take all necessary steps, including bringing enforcement actions.

 

 

Effective Date: May 25, 2018

Kelley Drye & Warren LLP (“Kelley Drye”) respects your privacy and is committed to protecting your data.  This Website Privacy Policy describes the types of data that Kelley Drye collects from and about you when you visit our website, www.kelleydrye.com, and any and all other sites on the Internet

Prospects Rise for Antitrust and Data LegislationDisplaying bipartisanship seldom seen on Capitol Hill, the Antitrust Subcommittee of the House Judiciary Committee held a hearing yesterday on Reviving Competition in which Democrats and Republicans appeared to agree on crucial issues.[1] Subcommittee Chairman David Cicilline and Ranking Member Ken Buck echoed one another on the need for reforms, while many members of the full Judiciary Committee, including Chairman Nadler and Ranking Member Jordan, weighed in with their own support for writing new laws on Big Tech.

Virtually unanimous was the sentiment to increase funding for the Federal Trade Commission and the Antitrust Division at the Department of Justice. So was the desire to accelerate antitrust litigation and the idea of easing the burden on the government to stop mergers. Consensus seemed close as well on making data more portable for consumers who switch vendors and products and on improving the interoperability of apps and devices. Proposals to create a new federal agency to regulate Big Data met with less favor, and arguments to break up large firms did not capture the day. The Commission emerged as the agency most likely to see an expansion of authority.

The hearing was the first of a series planned to develop legislation based on the extensive investigation of competition in Big Tech that the subcommittee had conducted in the last Congress. Chairman Cicilline opened with a warning that dominant companies have too much power and it needs to be curbed. “Mark my words, change is coming. Laws are coming.” He cited dominant firms’ acquisitions of nascent competitors, contractual conditions that platforms impose on other vendors, disadvantaged news media, and measures that other countries have taken to rein in the companies. Perhaps most importantly, he concluded by noting the agreement of Ranking Member Buck on many of the proposals.

For his part, Mr. Buck recounted examples of conduct attributed to Big Tech during the investigation last year, including allegations of collusion, unfair competition against vendors on platforms, markups added to competitors’ products and actions to silence political speech. He then expanded on the remedies he proposed. First, he advocated data portability and recalled that one of the most popular laws Congress ever passed was the Telecommunications Act of 1996, which allowed consumers to keep their phone numbers when they switched carriers. Second, he extolled interoperability – allowing “competing technologies to speak to one another” – so consumers are not locked into one choice. Third, he supported more robust enforcement of the antitrust laws, although he cautioned against a Glass-Steagall Act for the internet (referring to proposals to prevent platforms from competing with vendors on them).

Witnesses representing a cross section of the political spectrum offered testimony ranging from a defense of modern antitrust doctrine to a proposal that Congress create a regulator like the bodies that once controlled railroad and telecom. The majority of the Committee was clearly between maintaining the status quo and replacing antitrust enforcement. Ranking Member Buck said, “the key is to make sure that we do not take a chainsaw to the whole economy, but rather we should implement a scalpel-like approach for Big Tech.” The odds of some sort of surgery loom large.

Background

Both the Chairman and the Ranking member issued reports in late 2020. The Majority Staff Report, Investigation of Competition in Digital Markets,[2] summarized more than a year of investigation that spanned seven hearings and amassed 1.3 million documents, “the most significant congressional antitrust investigation in more than a generation,” said Chairman Nadler at yesterday’s hearing. In over 400 pages the Report reviewed market structure, entry conditions, innovation, privacy, press, and economic liberty in light of modern technology and the large firms that have become identified as its leaders. Although focused on Big Tech, the recommendations could affect competition and consumer protection throughout the economy. The Staff Report advocated measures such as these:

a. Restoring Competition in the Digital Economy

  • Structural separations and prohibitions of certain dominant platforms from operating in adjacent lines of business;
  • Nondiscrimination requirements, prohibiting dominant platforms from engaging in self-preferencing, and requiring them to offer equal terms for equal products and services;
  • Interoperability and data portability, requiring dominant platforms to make their services compatible with various networks and to make content and information easily portable between them;
  • Presumptive prohibition against future mergers and acquisitions by the dominant platforms;
  • Prohibitions on abuses of superior bargaining power [and] due process protections for individuals and businesses dependent on the dominant platforms.

b.  Strengthening the Antitrust Laws

  • Strengthening Section 7 of the Clayton Act, including through restoring presumptions and bright-line rules, restoring the incipiency standard and protecting nascent competitors, and strengthening the law on vertical mergers;
  • Strengthening Section 2 of the Sherman Act, including by introducing a prohibition on abuse of dominance and clarifying prohibitions on monopoly leveraging, predatory pricing, denial of essential facilities, refusals to deal, tying, and anticompetitive self-preferencing and product design; and
  • Taking additional measures to strengthen overall enforcement, including through overriding problematic precedents in the case law.

c.  Reviving Antitrust Enforcement

  • Restoring the federal antitrust agencies to full strength, by triggering civil penalties and other relief for “unfair methods of competition” rules, requiring the Federal Trade Commission to engage in regular data collection on concentration…; and
  • Strengthening private enforcement through elimination of obstacles such as forced arbitration clauses, limits on class action formation, judicially created standards constraining what constitutes an antitrust injury, and unduly high pleading standards.

Committee staff reports and recommendations are at best long shots to legislation, especially in a Congress as divided as the 117th. The odds of action here got an immediate boost, however, when Mr. Buck issued a report, The Third Way,[3] in which minority members endorsed some of the recommendations. Among the areas of agreement, the Report cited these:

  • More Resources for Antitrust Agencies – The report makes a good case for the need to strengthen our nation’s antitrust agencies with regard to resources.
  • Data Portability – Conservatives should consider supporting very limited legislative changes to provide consumers with a data portability standard that is similar to transferring cell phone numbers, as mentioned above. However, the language must be exact to prevent regulators from stretching Congressional intent to regulate Internet data companies as public utilities under Title II of the Communications Act of 1934, similar to net neutrality.
  • Reforming the Burden of Proof in Merger Cases – The evidentiary burden of proof that antitrust agencies must meet in many merger cases has become insurmountable. As a result, our nation’s antitrust enforcement agencies have built a wall, making it nearly impossible to bring an enforcement case on potential competition grounds in digital markets, granting near-total immunity for Big Tech. …. Congress should reaffirm to the antitrust enforcement agencies that the standard given to the agencies by Congress under the Clayton Act Section 7 allows them to challenge a merger when “the effect of such acquisition may be substantially to lessen competition, or to tend to create a monopoly.” The standard does not specify price change as our enforcers’ only way to review cases where harms to innovation and potential competition exist, and neither does it raise the evidentiary bar on potential completion versus actual competition. In other words, the antitrust agencies raised the bar on themselves, with help from the courts, in the years since Congress adopted the Clayton Act.

In The Third Way, the minority members stopped short of endorsing reform of monopolization laws and their proscriptions of unilateral conduct:

However, instead of issuing new bright line rules and creating a large regulatory framework to govern these behaviors,
we believe the solution is to offer a thoughtful plan that ensures our nation’s antitrust enforcers are following Congress’
original intent regarding the burden of proof needed to bring and win cases involving these theories of harm.

Among the issues that warranted further review, according to the minority members, were proposals to change the laws on monopoly leveraging, predatory pricing, the essential facilities doctrine, exclusionary product improvement, and the Supreme Court’s decision in Ohio v. American Express (which required proof of competitive effects on both sides – buyers and sellers – of a charge-card platform). The minority members expressed serious skepticism about proposals to resurrect the case law of the 1960s that had established strong market-share presumptions in merger cases, and proposals to prohibit acquisitions altogether when companies reach certain share thresholds.

The agreements and disagreements in last year’s reports were on display in yesterday’s hearing. The agreements could well signal the most significant changes to antitrust laws in decades. Whether the majority and minority can come together on the open issues remains less likely.

[1] Hearing video available at https://judiciary.house.gov/calendar/eventsingle.aspx?EventID=4382.

[2] Available at https://judiciary.house.gov/uploadedfiles/competition_in_digital_markets.pdf?utm_campaign=4493-519.

[3] Joined by Doug Collins, Matt Goetz and Andy Biggs, Available at https://buck.house.gov/sites/buck.house.gov/files/wysiwyg_uploaded/Buck%20Report.pdf.

Subscribe to Ad Law News and Views to stay current on the latest ad law and privacy matters. Find previous issues here.

iStock_000019536561Large-300x225At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.

The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.

According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”). Continue Reading FCC Votes to Impose Aggressive New Privacy Rules on Broadband Providers