Standard Contractual Clauses
The GDPR places restrictions on the export of personal data out of the EEA/UK unless there are adequate protections in the destination country to keep its government from accessing that data (other than through legal means). Such international data transfers are only allowed under two conditions: (1) if the destination country has been the subject of an adequacy decision by European authorities, or (2) via the standard contractual clauses (SCCs).
An adequacy decision means that the destination country has been found to have adequate safeguards in place to protect data from government intrusion. There are only a dozen or so countries that have been recognized by adequacy decisions; noticeably absent from this list is the United States. Because so much data is processed by American tech companies, this obviously creates a lot of problems for European organizations. The United States and the EU negotiated a privacy framework called the Privacy Shield that could be voluntarily adopted by businesses and would essentially take the place of an adequacy decision. However, in 2020 the EU Court of Justice (in a case known as “Schrems II”) invalidated the Privacy Shield framework, declaring it did not provide sufficient protections for EU personal data.
This leaves the SCCs as the only viable option for exporting personal data to the United States (or any other country not the subject of an adequacy decision). The SCCs are a set of contractual clauses that have been officially adopted by the European authorities as containing sufficient privacy and security guarantees for personal data. Any data exporter, whether they are a controller or processor, must include the SCCs as part of their agreement with the data importer. To find out whether they are included in your agreement with a data importer, you can usually just search for the term “standard contractual clauses.”
While it is relatively straightforward to add the SCCs to a data protection agreement, the latest version of the clauses have some new requirements that are considerably more complicated. In response to the Schrems II case, European authorities added a requirement that the data exporter complete a “Transfer Impact Assessment” on the likelihood that the data could be inappropriately accessed in the destination country. These assessments must be carried out on a case-by-case basis, so they cannot be part of a boilerplate agreement.