Don’t Get Sunk Leaving the Safe Harbor–Navigating Recent SCC Contract Amendments
The Edward Snowden security breach created a number of casualties. Unfortunately, if you recently received a demand to add something called “Standard Contractual Clauses” or SCCs (which are available at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) to one of your company’s contracts, your company may be one of these casualties. That is because the Safe Harbor provisions of the company’s web site or contracts have now been invalidated by a recent decision of the European Court of Justice titled Maximilian Schrems v. Data Protection Commissioner, No. C-362-14 http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1467391094851&uri=CELEX:62014CJ0362 (“Schrems”). As a result, the EU has advised companies transferring personal information to US companies that they need to amend all of their contracts to include the SCCs. If your company performs hosting, data processing, or other similar services for EU companies or act as a subcontractor to a company that performs such services, expect to receive a SCC contract amendment soon.
Prior to Schrems, the Commerce Department’s Safe Harbor program with the European Union (“Safe Harbor”) permitted companies to accept and use personal information from EU residents that was transferred to the United States for processing, storage and other legal uses (“Personal Information”), if the US company had certified its compliance with the Safe Harbor program. If a company’s privacy or data handling policy complied with the requirements of the Safe Harbor program and the company registered as Safe Harbor compliant with the Commerce Department, then the parties to any cross border data transfer simply needed to include a statement in its contract that the US company was compliant with Safe Harbor. The EU and the Commerce department had agreed that this Safe Harbor provided the “adequate level of protection” of data privacy that EU companies are required to obtain, under the EU Data Protection Directive, to transfer Personal Information to US companies.
This process was a boon for US companies, who in the absence of Safe Harbor would be required to execute the SCCs. Having part of one’s contract drafted by a consortium of foreign governments is less appealing to most US companies than simply complying with Safe Harbor, and most took that route.
This was all turned upside down, however, in Schrems. The ECJ ruled that due to the revelations of widespread national security and law enforcement snooping on private communications that came out of the Snowden incident, the Safe Harbor did not provide an adequate level of protection for Personal Information. Effectively, this meant that EU companies could no longer rely on inclusion of “Safe Harbor compliant” clauses in their contracts.
Apparently, the EU and United States are attempting to come up with a new “Safe Harbor” rule, to be called the Privacy Shield ( http://europa.eu/rapid/press-release_IP-16-216_en.htm). In normal times this would take years, but considering that the EU currently finds itself scrambling to deal with the UK’s exit from the union it may be a while longer.
In the meantime, the EU has specifically advised EU companies that provide cross-border data transfers of Personal Information to US companies that they must amend their contracts to include the SCCs (http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf). In the experience of this firm, however, some companies are using the SCC requirement as an excuse to retroactively add or amend other substantive terms of their contracts under the guise of compliance (i.e., beyond those required by the SCCs) such as:
- Additional warranties
- liquidated damages
As a result, it is important to have SCC contract amendments reviewed by counsel to ensure that the only changes are the ones required by the SCCs, and that the contracting party is not trying to renegotiate the contract under the guise of compliance. If your company receives one of these amendments and want to make sure that it is not getting sunk right after leaving the (safe) harbor, contact Langin Law Firm.