Introduction

What Are Standard Contractual Clauses, Why Are They Necessary, and Who Uses Them?

What Does the Irish Data Protection Commission’s Preliminary Order for Facebook Mean for SCCs?

What Does the Schrems II Decision Mean for SCCs?

Raising the Cost and Complexity of Data Transfers and Analysis: Europe Further Tilts the Balance Toward Localization.

Conclusion

Endnotes

Introduction

Standard Contractual Clauses (SCCs) are a critical, but increasingly threatened, legal tool that many Firms use to manage the transatlantic transfers of personal data that drive trade and innovation in the United States and the European Union (EU). SCCs have become even more important since the European Court of Justice (ECJ) invalidated another key tool to transfer data—the EU-U.S. Privacy Shield—which was used by over 5,000 mainly small and medium-sized enterprises (SMEs).[1] Without the EU-U.S. Privacy Shield, SCCs are now the only scalable and widely accessible legal tool available to organizations transferring data from the EU to the United States and most of the rest of the world.[2] Yet, the role and value of SCCs are barely recognized and poorly understood by most policymakers. This creates a risk that EU and U.S. policymakers will be distracted by the legalistic nature of the debate around SCCs and data transfers, missing the bigger picture, and thus failing to marshal the response that creates a clear, coherent, and predictable framework for firms to use to transfer the data that is central to modern trade. 

The ability of firms to manage global data governance compliance is critical to maximizing the benefits of data and digital technologies in today’s digital economy. Yet, firms face an increasingly difficult challenge in complying with multiple, and often differing, data governance regimes around the world. The greater the number of countries in which firms operate, and the greater their legal divergences, the greater the challenge. And as many countries move forward to enact new data protection regulations, this complexity will only grow in the years to come. The EU-U.S. Privacy Shield and SCCs had helped ease some of that complexity, but now that relief has disappeared.

Just as firms need clear, predictable, and reasonable documentation and procedures for cargo containers carrying the goods that define 19th century trade, so too do firms need a clear, accessible, and predictable legal framework to allow the seamless movement of personal data for 21st century EU-U.S. digital trade.

Just as firms need clear, predictable, and reasonable documentation and procedures for cargo containers carrying the goods that define 19th century trade, so too do firms need a clear, accessible, and predictable legal framework to allow the seamless movement of personal data for 21st century EU-U.S. digital trade. SCCs are among the most popular transfer mechanism for data flows from European countries.[3]

Because so many organizations rely on SCCs to maintain compliance in their data transfers, they form the foundation of a significant portion of transatlantic trade, especially in digital services. For example, a recent survey of nearly 300 firms—mainly EU firms (75 percent) headquartered across 25 countries, from all major industries, and a mix of company sizes—by Business Europe, DIGITALEUROPE, the European Round Table for Industry, and European Automobile Manufacturers Association found that near 85 percent used SCCs, and only 9 percent did not transfer data outside the EU.[4] Firms handling personal data must have the ability to transfer that data between countries—even if the laws for processing that data differ between them. Interoperability between different data protection regimes is a crucial element of international trade in both digital and non-digital goods and services, be it retail, biopharmaceuticals, manufacturing, automotive, financial, insurance, payments, agriculture, or some other sector.[5] Not all data is personal data, but both personal and non-personal data are often intermingled as part of e-commerce transactions; HR and payroll records; travel bookings; health and medical records (e.g., clinical trials); vehicles and machinery operations and repairs (e.g., tractors, jet engines, trucks, cars, and even parts of factories); and any number of Internet services used by individuals and firms alike on a daily basis.

The schism in data governance rules between the EU, United States, and other countries is not new, but has grown since the implementation of the EU’s General Data Protection Regulation (GDPR). Data transfers outside the European Economic Area (EEA), which are EU member states plus Iceland, Liechtenstein, and Norway, are subject to stringent compliance requirements to ensure data receives essentially the same privacy protections in the importing country as it does within the EU. The EU has aggressively pressured other countries to essentially adopt GDPR by generally prohibiting data transfers to any country that it has not deemed as having “adequate” data protection. It’s questionable whether this data blockade is tenable given the challenge of forcing so many different sovereign countries to make major changes to their domestic laws—many of which take a different approach to data protection, and where there are reasonable disagreements about what should be included. Indicative of this, only 12 countries—of which, the United States is not one—have been recognized as having this adequate level of protection; all other transfers must use additional legal mechanisms to ensure compliance with EU data laws.[6]

The threat of broad de facto data localization—by making data transfers to other countries so costly and complicated that firms have no other viable option but to store and process data locally—looms on the European horizon.

At inception, GDPR envisaged a broader range of legal tools for firms to use to manage cross-border transfers of personal data. However, more than two years after coming into force, the situation is the reverse: It has failed to develop new transfer tools (such as codes of conduct and certifications), it has remained focused on slow and ad hoc adequacy determinations (the EU has only added Japan in the last few years), and existing legal tools have been challenged and removed one-by-one.[7] Most recently, in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II), the ECJ upheld SCCs as a valid transfer mechanism, but noted that additional “supplementary measures” may be necessary to ensure adequate protections, depending on the laws and regulations of the importing country (this decision is analyzed in detail ahead).[8] The implications of this case affect much more than just Facebook. The outcome of Facebook’s court case, and the broader consideration of SCCs by the European Data Protection Board (EDPB), will greatly affect transatlantic digital trade.

Fundamental changes to the use of SCCs and their central role in EU-U.S. trade are fast approaching. The threat of broad de facto data localization—by making data transfers to other countries so costly and complicated that firms have no other viable option but to store and process data locally—looms on the European horizon as Ireland’s Data Protection Commission (DPC) has made a preliminary ruling (which is on hold pending a hearing at Ireland’s High Court) ordering Facebook to suspend transfers of European users’ data to the United States.

This policy brief provides an overview of SCCs in the transatlantic digital economy, and analyzes the ECJ’s decision on SCCs in Schrems II and of the Irish DPC’s preliminary order against Facebook’s use of SCCs. It then analyzes the impact of how these changes and the uncertainty raise the cost and complexity of transatlantic data transfers, protection, and analytics—and how this disproportionately affects SMEs, and makes U.S. firms significantly less competitive than their European peers. It analyzes one of the other remaining transfer mechanisms—binding corporate rules—and shows how they are not a substitute for SCCs, especially for SMEs. It analyzes how the EDPB’s proposal to use encryption for any number of regular data transfers and services is overly broad, misguided, and burdensome. Finally, it analyzes the economic impact if Europe fully embraces de facto data localization, before outlining why EU policymakers need to work with their own member states and the United States to build a clear, predictable, and accessible framework for firms to manage commercial data privacy concerns, while governments build a new mechanism to account for national security and surveillance concerns. 

What Are Standard Contractual Clauses, Why Are They Necessary, and Who Uses Them?

A transfer of personal data outside the protection of the GDPR is considered a ”restricted transfer.” For example, if a German firm passes information about its employees to its subsidiary or a cloud-based human resources service in the United States, this would be a restricted transfer. GDPR allows these transfers under certain circumstances, such as when the European Commission has determined an importing country’s data protection laws and regulations are comparable to those in the EU (known as adequacy), and when a data exporter has put sufficient safeguards in place before transferring data to a country with insufficient legal protections. Transfers to the vast majority of countries, including the United States, fall into the latter category.[9]

SCCs (sometimes also called “model contracts”) are a set of legal provisions pre-approved by the European Commission. Data exporters and importers must include these provisions in their contracts if they wish to engage in cross-border data transfers. The Commission has three sets of SCCs: two covering transfers of data from data controllers in the EU to data controllers established outside the EU (such as exchanging data within a group of companies), and one covering data transfers from an EU controller to a non-EU or EEA processor (such as exporting data to a third-party vendor).[10] The original 2001 controller-to-controller SCCs were supplemented in 2004 by an alternative set of clauses. In 2010, the Commission established the controller-to-processor SCC to address issues raised by the ever-increasing globalization, outsourcing, and subcontracting involving personal data.[11] 

SCCs are useful in many scenarios. For example, a German firm could use a controller-to-processor SCC when it wants to contract with an American payroll company to process its payroll. Or a French travel agency might use a controller-to-controller SCC to send data about a booking to an American hotel.[12] One of the key purposes of the SCCs is to establish rights for the individuals whose personal data firms transfer, and allow these individuals to directly enforce those rights against data importers and data exporters. While firms must include SCCs in their entirety (they cannot alter them), contracting parties can include addendums to further specify the parameters for data transfers. For example, the United Kingdom’s Information Commissioner’s Office provides both SCC templates and SCC-plus contract builders.[13]

The limitation of SCCs is that they do not restrain mandatory government access to personal data. This limitation at the heart of Max Schrem’s legal complaints. The inability of SCCs to prevent lawful requests for data by foreign governments is why the ECJ, the Commission, and the EDPB have put a growing responsibility on data exporters to ensure adequate protection through additional safeguards (whether technical, contractual, or organizational). But ultimately, policymakers should recognize that there are limits to what commercial actors can reasonably do in response to lawful government requests, especially those involving national security. 

SCCs are one of the most widely used mechanisms by U.S., EU, and other firms—from a broad range of sectors, not just consumer-facing ones—to transfer personal data from the EU to the rest of the world.

SCCs are one of the most widely used mechanisms by U.S., EU, and other firms—from a broad range of sectors, not just consumer-facing ones—to transfer personal data from the EU to the rest of the world. The International Association of Privacy Professionals (IAPP)-EY Annual Governance Report for 2019 surveyed 370 privacy professionals (from both the EU and United States), showing that 88 percent reported using SCCs in 2019.[14] Similarly, the recent joint survey by Business Europe, DIGITALEUROPE, the European Round Table for Industry, and European Automobile Manufacturers Association found that nearly 85 percent of the 292 respondents used SCCs.[15] Furthermore, while nearly all firms used SCCs to transfer data to the United States, 60 percent also used them to transfer data to Asia or the United Kingdom (figure 1).[16]

Figure 1: DIGITALEUROPE Survey: SCCs are used to transfer data globally (percent of respondents (172) that use SCCs and are aware of which geography they transfer data from the EEA).[17]