Today, the European Commission released the final version of new Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries. The new SCCs provide much-needed clarity for companies that transfer personal data outside of Europe following last year’s Court of Justice of the European Union’s (CJEU) decision in the Schrems II case. Most significantly for our customers, the new SCCs allow companies to consider the absence of previous requests for data from public authorities as a relevant factor in determining any supplemental protections needed when transferring data. This approach aligns with both the General Data Protection Regulation’s (GDPR) risk-based approach to compliance and the requirements of the CJEU’s Schrems II ruling.
Here’s a brief explanation on the new SCCs, what they mean in the context of Schrems II, and some looking forward thoughts regarding cross-border data transfers.
Why Were New SCCs Issued?
In a press release accompanying the new SCCs, Vice-President for Values and Transparency Vera Jourová said:
“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”
The SCCs were last updated in 2004 (controller-to-controller clauses) and 2010 (controller-to-processor clauses). Since then, the GDPR has introduced specific requirements that must be included in data processing contracts. The new SCCs incorporate the GDPR-required terms into the data transfer mechanism. In addition, the new SCCs better reflect today’s modern business realities where companies often act in both controller and processor roles. The new SCCs are modular in approach, simplifying the contracting process, and also cover two additional transfer types: processor-to-controller and processor-to-processor transfers.
How Do the New SCCs Relate to Schrems II?
Following the Schrems II ruling, companies transferring EU personal data to third countries, such as the United States, must conduct case-by-case assessments to identify any necessary supplemental measures to protect the personal data being transferred. The assessment must consider government surveillance practices and individual rights in the countries where the data is being transferred. The new SCCs reflect this requirement, and also contain specific safeguards, including a requirement to question and challenge, where appropriate, governmental data access requests, as well as keep the data exporter informed. We understand that our customers and regulators require assurances that this is the case. In line with our core values of customer service and integrity, Workday publishes our government access principles and an official transparency report for our customers.
How Do the SCCs Relate to the Newly Approved European Cloud Code of Conduct?
In May, the Belgian Data Protection Authority announced it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”), which is the first transnational EU code of conduct since the GDPR took effect. The EU Cloud CoC complements the SCCs as a compliance mechanism under the GDPR but it does not act as a data transfer mechanism. In August 2019, Workday became the first organization to demonstrate adherence to the EU Cloud CoC.
What’s Next?
We are thoroughly reviewing the new SCCs, and will offer these contractual commitments to our customers well within the required timeframe, which is 18 months for existing agreements. We also anticipate that later this month the European Data Protection Board will issue final recommendations on supplemental measures for data transfers shortly, and remain hopeful that they will also take into consideration whether a company has received any formal requests from government authorities for personal data. Based on both history and affirmative government statements, enterprise human resources, financial, and analytics data are of low interest to government authorities.
In addition, we remain optimistic that a successor framework to the Privacy Shield will be agreed upon this year. In the meantime, Workday renewed our existing Privacy Shield certification, as we continue to uphold the commitments we made to the FTC and our customers about the processing of personal data under the Privacy Shield principles.
Most importantly, we want to emphasize that Workday is confident that the U.S. and EU governments will continue to work together to allow data transfers across borders, and the publication of the updated Standard Contractual Clauses, along with the ongoing efforts by the two governments, supports that goal.