EU Model Clause
This section covers the following topics:
the definition of a cross-border data transfer
jurisdictional stipulations for cross-border data transfers
understanding standard contractual clauses for meeting conditions of adequacy
restrictions against amending EU Model clauses
understanding three types of EU Model clauses and when to use each
Part 1: Understanding Cross-Border Data Transfers
As is commonplace in today’s age, your organisation no doubt saves data into cloud services such as G-Suite, OneDrive, Dropbox and other data repositories. For example, consider a business in Germany that saves its data to Google’s G-Suite. Unless arrangements are made to ensure the geography where this data is being stored, the storage location may default to servers located in the United States, a location that has not been deemed to provide adequate levels of protection for personal data according to European standards. Many do not realise the European Commission has the power to determine (on the basis of Article 45 of Regulation EU 2016/679) whether a country outside of the EU offers adequate levels of data protection. As of this writing, only 13 countries provide adequacy protection such as Canada, New Zealand, Israel, etc.
In our example, when this fictitious German business saves a client record to Google’s G-Suite, the personal data associated with the application leaves Germany and crosses international borders into the United States, a violation of Regulation EU 2016/679. If discovered, this would result in a sizeable fine imposed upon the business, along with a suspension of data processing activity imposed by authorities and served to both Google and the German business.
Cross-border data transfers can also occur when employing other data services located outside of one’s jurisdiction. For instance, using MailChimp to send bulk emails also employs a service in the United States. This is also an example of an unauthorized cross-border data transfer, because personal data flows from the EU into a country without adequacy standing. But there’s a better way to accomplish these things by employing EU Model Clauses, also called Standard Contractual Clauses. This is covered next.
Employing Standard Contractual Clauses to Meet Conditions of Adequacy
Using our example where a Germany business wants to store data in the United States, it’s possible to do by employing EU Model Clauses, also called Standard Contractual Clauses (SCCs). In this vernacular, the Germany business is called the data exporter, because they are exporting data to another location; Google’s G-Suite is referred to as the data importer, because they are receiving personal data from the exporter.
In this relationship, the data exporter and data importer must agree to a legal contract whereby both parties consent to the terms and conditions of a “standard contractual clause” or agreement written by the European Commission. The “clauses” within the agreement outline the protections that will be afforded the personal information by both parties. Since the United States does not have adequacy standing as a nation for the protection of personal information, this agreement bridges that gap and satisfies the European Commission, as long as their templated clauses are employed exactly as written.
Part 2: Can I Amend the SCCs?
In a single word, no. SCCs must be adopted as they are templated; this is what permits the European Commission to preapprove them, neither by adding to the scope nor amending the existing scope. However, the parties may agree to the following information to be inserted into the form:
identification, location and contact information of the data exporter and data importer;
description of the activities relevant to the transfer by the data importer and receipt/processing by the data importer;
description of the data subjects (employees and customers);
categories of data subjects (identity data, performance, etc.);
special categories of data (medical data, financial data, criminal data, sexual orientation, etc.);
processing operations meaning the scope of why the data is being transferred to the data importer; and
the security measures the data importer agrees to employ to ensure adequate safeguards are in place to protect the personal and sensitive information transferred to the data importer.
The items above may be populated by the data importer and data exporter, but the core clauses of the SCCs may not be amended.
Standard Contractual Example
Part 3: What Happens Next?
Once you complete the SCC, whether its for Brazil, the European Union or another country requiring them, you need to determine if they’re required to be filed with a supervisory authority, or simply stored for reference should a supervisory authority conduct an audit. In some countries, such as Spain, a data transfer based on SCCs cannot proceed until approved by the local supervisory authority. Other countries such as France and Germany may not require filing with a supervisory authority unless sensitive information is involved.
If all you need is access to the European Commission SCCs, there are three versions; it’s important to understand the role of the recipient importing the personal data in order to choose the correct version.
The 2001 version of the original form of SCCs is still valid, although the 2004 version is more business friendly.
Employ the 2004 version if the importer acts as a parent company receiving affiliate personal data for independent decision-making and functions, which is somewhat viewed as a controller-to-controller relationship.
Is Anything Else Necessary?
Be sure to remember to comply with any other laws that may be relevant. SCCs only deal with the transfer of data, and the SCCs will likely need to accompany a Data Processing Agreement (DPA) that defines the instructions by which the importer may process data, including stating the lawful basis for processing and its proportionality to the need; otherwise, it will be an unlawful disclosure.
For assistance with Data Processing Agreements that should accompany an SCC, please see the DPA section of this site.
A Brief Recap Before You Leave
A cross-border transfer occurs when data moves between two different countries with varying regulations.
You need to know your risk and measure it before you can monitor improvement.
Risk is an asset in danger. To move assets away from danger you need an effective threat model.
Untreated risk is referred to as "inherent risk" and treated risk is referred to as "residual risk" or the risk that remains.
The goal isn't to completely remove all risk, as that's impossible. Your goal is to keep applying treatment until the risk is at an acceptable level according to your regulatory and contractual obligations.
We know there was a lot of information mentioned above. If you would like assistance with what you've read and want to put it into practice, feel free to contact us and we can discuss further details.