EU Adopts New Standard Contractual Clauses for Data Transfers

​On June 4, the European Commission approved new standard contractual clauses to permit transfers of personal data from the European Union to other countries, such as the United States.

These will replace the old standard contractual clauses adopted in 2010. The new clauses reflect changes implemented with the EU's new privacy law, the General Data Protection Regulation (GDPR) of 2018. The GDPR limits the types of personal data that can be transferred legally.

U.S. multinational employers must fully understand their new legal compliance and documentation responsibilities, particularly during HR functions like record keeping; performance evaluation; expense reimbursement; and diversity, equity and inclusion initiatives. The data transfers may encompass HR records, performance reviews, employee benefits data and user logs.

For existing contracts, businesses have until Dec. 27, 2022, to comply.

Any new contracts must use the new standard contractual clauses after Sept. 21, 2021. After that deadline, if employers with workers in the EU transfer data without the proper legal protections, they could face fines or lawsuits.

"The administrative penalties for violations of the GDPR could range as high as 4 percent of the annual gross revenue for the entire corporate group. While a penalty of that size is unlikely, EU data protection regulators have been aggressively enforcing the GDPR and have been imposing monetary penalties," said Philip Gordon, an attorney with Littler in Denver.

Disruption to operations could be another consequence that employers want to avoid.

Regulators "have the authority to order suspension of data flows outside of the EU. Such an order could be highly disruptive for a U.S. multinational that centralizes and manages all employee data globally in a human resources information system stored on a server in the United States," Gordon explained.

Action Items

Mark Francis, an attorney with Holland & Knight in New York City, recommended that employers take these steps:

• Identify all existing contracts that will need to be amended to include the new clauses by Dec. 27, 2022.
• Consider scenarios not previously accounted for in the old clauses to determine when the new clauses are necessary.
• Engage with business partners to execute the new clauses.
• Update internal policies and procedures to account for enhanced protections required by the clauses.

Have a pragmatic plan for this and don't try to do too much at once.

"This can include leveraging privacy tech platforms and system or data inventories to accurately identify relevant data transfers; prioritize actions based on risk; and then take pragmatic approaches that are not too burdensome, too costly or require constant upkeep," Francis said.

While addressing the EU privacy laws, don't overlook the new privacy laws in other countries like Japan and Brazil. "We often advise companies to think more holistically in their approach," Francis said.

Annual privacy training may be appropriate for employees who work with the personal information of EU residents.

[Want to learn more? Join us at the SHRM Annual Conference & Expo 2021, taking place Sept. 9-12 in Las Vegas and virtually.]

Major Update

Updating the documents and processes may be time-consuming and challenging for employers.

"Many organizations have hundreds or thousands of contracts that will need to be assessed and updated," Francis said. "The new standard contractual clauses apply to business relationships that were not covered by the old version, such as a U.S. customer using a service provider in the EU, so it is not quite as simple as just swapping out old terms for the new terms."

The agreements between employers and third parties must be accurate and include all categories of personal data transferred and all purposes for which the data will be used. All corporate entities that export and import EU personal data must be parties to the agreement, Gordon said.

"When a multinational employer does not complete comprehensive and thorough mapping of cross-border data transfers before preparing the new standard contractual clauses for execution, it runs the risk of having an agreement that does not cover all data transfers and all purposes for processing and, therefore, exposes the employer to enforcement risk," he explained.

The new standard contractual clauses require companies to assess the laws of the country where the data importer is located and determine that those laws will not impinge on the data importer's ability to comply with its contractual obligations.

"The new standard contractual clauses also require that this assessment be documented and made available to EU data protection regulators upon request," Gordon said. "Many U.S. multinationals will need to rely heavily on outside counsel to prepare the required assessment."

The new standard contractual clauses require companies to give employees more information about data transfers than they previously did under the GDPR. "Multinational employers with employees in the EU may be required to revise and redistribute the data-processing notices they previously provided to employees," Gordon confirmed.

The new clauses are "particularly important for U.S. companies because the other popular option, known as the U.S.-EU Privacy Shield Framework, was ruled invalid in July 2020 by the Court of Justice of the EU," Francis stated.

Leah Shepherd is a freelance writer in Columbia, Md.