A Closer Look at Implementing EU Model Clauses and Binding Corporate Rules (“BCRs”)


The Schrems II Ruling

Following the precedent of Schrems I, in which the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Safe Harbor arrangement on October 6, 2015, many privacy professionals did not expect the outcome of Schrems II to be different. The Schrems II case stemmed from the 2015 Schrems I decision, which invalidated Safe Harbor as the acceptable framework for international transfers of personal data. The initial Schrems II case brought to the Irish High Court in May 2018 argued that the EU Standard Contract Clauses (“SCCs”) and the Privacy Shield did not constitute an adequate level of protection of personal data. The Privacy Shield, which was officially adopted in 2016 by the European Commission, intended to address the issues the CJEU had raised with the Safe Harbor, but many of the mechanisms remained the same – which a few years later has led to the recent decision to invalid the EU-U.S. Privacy Shield. 


On July 16, 2020, the CJEU issued its historic ruling in the Schrems II case to invalidate the EU-U.S. Privacy Shield. In its ruling, however, the CJEU affirmed the validity of the SCCs as a means to transfer personal data outside of the EU.


The Impact and Alternative Solutions

In light of the decision, many organizations that relied on the EU-U.S. Privacy Shield framework will need to reconsider other approved cross-border transfer mechanisms to protect personal data and facilitate an ongoing and systematic personal data transfers, such as Binding Corporate Rules (“BCRs”) and Standard Contractual Clauses (“SCCs”). Additionally, organizations may also increase reliance on other acceptable exceptions or derogations presented in the EU General Data Protection Regulation (“GDPR”) for specific situations (e.g., the data subject has explicitly consented to data transfer, the transfer is necessary for the performance of a contract between the data subject and the controller, etc.).


In this blog, we take a closer look at the alternative lawful data transfer mechanisms, such as the BCRs and SCCs, and how companies could apply them to continue transfers of data to the U.S.


Implementing the EU SCCs

Standard Contractual Clauses (SCCs), as established by the European Commission, have been widely used as one option for providing a legal basis for data transfers between the EU and non-EU countries. SCCs are standard sets of contractual terms and conditions that the controller and processor of personal data agree to, aimed at protecting personal data and to comply with Article 46 of the GDPR data transfer requirements – provided that the SCCs are adopted completely and unaltered. The European Commission has issued three sets of SCCs, two of them are intended for data transfers from EU controllers to non-EU controllers and the third set, for data transfers from EU controllers to non-EU processors. The European Commission has made the SCCs available on the European Commission website and free of charge for organizations to use.


Organizations that will be applying the SCCs as the mechanism to lawfully transfer personal data to the U.S. for the first time, should begin by understanding the requirements of the clauses and identifying existing data processing activities impacted by the ruling, for both internal and external transfers of data. For organizations that already comply with the GDPR, this may be part of their data mapping or record of processing activities exercise. Organizations would need to review data exports and imports arrangements for data transfer from the EU to the U.S. and include SCCs in their contracts with each other as part of a Data Processing Addendum or similar. Organizations need to ensure that SCCs are in place to cover each purpose of processing for which an SCC is relied upon as the legal data transfer mechanism. This may mean that any changes to processing activities will require new SCCs, so changes to the record of processing for GDPR Article 30, for example, will need to be reviewed by Legal to ensure the appropriate legal basis exists for new activities.


Further, the CJEU stresses the obligations that “data exporters” (i.e., the entities who transfer personal data out of the EU, typically controllers as defined by GDPR) and “data importers” (i.e., the entities outside the EU who agree to receive EU resident data, typically processors as defined by GDPR ). Under the guidance from the CJEU, importers and exporters have to work to scrutinize and ensure that the processing of data is carried out in accordance with the applicable data protection law and the SCCs.  Consequently, the data exporters have the ability to and are obliged to suspend and/or avoid data flows that do not comply with the SCC obligations, and importers are obliged to notify exporters where they cannot meet contractual obligations regarding data processing. This newly emphasized level of scrutiny that data exporters and importers should provide each other with strikes a balance of power and shared responsibility to help ensure that, prior to any transfers, an adequate level of protection is in place, and data is not at risk.


 It is therefore also important that data exporters perform thorough and periodic reviews of data importers to determine if such party is technically and organizationally capable of satisfying the privacy and data protection obligations under the SCCs. This can be accomplished by performing a vendor risk assessment on those partners to ensure that the appropriate safeguards are in place and further understand their privacy and data protection programs. If it is determined that the data importer cannot guarantee an adequate level of protection for the personal data, data exporters should consider suspending the data transfer and/or terminating the contract. Companies should also consider additional optional commercial clauses available in the SCCs, such as indemnification clauses of any breach of the obligations set in the SCCs; however, organizations may choose not to include or add other additional commercial clauses. 


Implementing the EU BCRs

Binding Corporate Rules (BCR), developed by the Article 29 Working Party (WP29), are legally binding and enforceable internal rules and policies for transfers of personal data outside the EU within multinational group companies. For organizations with complex internal personal data transfers, BCRs can be a better option as they can be tailored to fit the needs of the organization, allowing for significant flexibility. However, any changes to data flows that go beyond the scope of the authorizations require reauthorization for all or part of the processing. Companies should submit BCRs for approval to the data protection authority in each EU Member State and designate a lead authority to facilitate the approval process of BCRs in all relevant jurisdictions. Organizations need to ensure that BCRs are distributed to all relevant entities for review and obtain stakeholder and, typically, executive approval. The process to obtain approval of the BCRs can be lengthy, subject to many global and local committee reviews and approvals, and it is not atypical that the end to end process, from drafting to approval of BCRs, may take as long as 12 months.


When preparing the BCRs content, organizations can use the WP29 guidelines to address the principles and elements businesses should incorporate in their BCRs. Additionally, the BCRs should address the key requirements provided in the GDPR and the commitment to comply from the entities within the organization who sign the BCRs, such as minimum standards for data use and protection, purpose limitation, and security safeguards. Adopting groups will also have the responsibility and obligation to support the organization’s Subject Requests (DSRs) programs, Privacy Impact Assessments (PIAs), and other privacy and regulatory requirements. BCRs should also provide guarantees regarding processing of personal data, restrictions on transfers, obligation to notify the entity of data breaches, and compliance with Article 28(3) of GDPR, which requires that the entities within a group (effectively acting almost as a form of internal “processor”) do not engage another processor (a sub-processor) without the controller entities’ prior specific or general written authorization.


Other requirements of BCRs include that organizations maintain and provide training to employees who have access to personal data and document their training programs, and document the data protection audit program and plan, including the frequency in which the audit will be carried out and the designated group performing the audit. In response to this, organizations could consider the potential need for internal audit or third-party independent audit to ensure BCRs compliance from the adopting entities. Ultimately, the BCRs should help organizations to ensure consistent privacy and data protection standards globally and locally, while simultaneously raising awareness of data protection obligations within the organization. 


How We Can Help

The decision to invalidate EU-U.S. Privacy Shield brings many challenges to organizations that relied on it for personal data transfers from the EU to the US, causing potential disruptions and uncertainty. However, SCCs and BCRs present an alternative solution. As such, organizations will need to evaluate their options for legal data transfer mechanisms and determine which are most suitable, considering the nature of the data, purpose, processing activities, the source and destination. Moreover, organizations must review contracts with vendors that relied on the Privacy Shield and quickly find an alternative solution. 


Regardless of the data transfer mechanism that an organization chooses, organizations need to prepare for the different requirements each mechanism has in order to be able to demonstrate compliance. Our team of experts can assist you in carrying out Vendor Risk Assessments over processors or conducting Data Mappings to identify cross-border transfers and suggest the appropriate approach to ensuring a legal basis for processing. We also have extensive experience in developing Privacy Programs and Privacy Compliance Assessments for entities subject to SCCs and BCRs to demonstrate they have effective controls and maturity in place to meet the rigors of SCC and BCR requirements.


Interested in talking more about privacy and data protection? Get in touch with us.