Ecta Agreement

The EU-US Privacy Shield Framework was invalidated by the Court of Justice of the European Union in July 2020, leaving companies that previously relied on it for transatlantic data transfers scrambling for alternative arrangements. One such alternative is the EU Standard Contractual Clauses (SCCs), also known as the EU Model Clauses.

The SCCs are a set of standardized contractual clauses developed by the European Commission that can be used as part of a contract between data exporters in the EU and data importers outside the EU. They provide a legal basis for transferring personal data from the EU to countries outside the EU that do not have an «adequate» level of data protection under the EU`s General Data Protection Regulation (GDPR).

The SCCs are not new; they have been around since 2001 and have been updated several times since then. However, their importance has been highlighted in the wake of the invalidation of the Privacy Shield. In fact, the SCCs were one of the legal options available to companies even when the Privacy Shield was still in place.

The SCCs consist of a set of standard contractual clauses that must be incorporated into the data transfer agreement between the EU data exporter and the non-EU data importer. There are two sets of SCCs: one for transfers from data controllers in the EU to data controllers outside the EU, and another for transfers from data controllers in the EU to data processors outside the EU.

The SCCs contain a number of provisions that must be included in the data transfer agreement, such as obligations on the data importer to protect the personal data, restrictions on the use of the data, and provisions for audits and inspections. The SCCs also include a mechanism for resolving disputes, whereby the parties can refer the matter to a competent court or supervisory authority.

It is important to note that the SCCs are not a one-size-fits-all solution. Companies must conduct a thorough assessment of the data protection laws and practices in the non-EU country to which the data is being transferred to ensure that the SCCs are adequate and effective in providing an adequate level of protection for the personal data.

In addition, companies cannot simply rely on the SCCs as a checkbox exercise. They must also implement appropriate technical and organizational measures to ensure the security and confidentiality of the data being transferred. This includes measures such as encryption, access controls, and regular security audits.

In conclusion, the SCCs are a vital tool for companies that need to transfer personal data from the EU to countries outside the EU. However, they should not be treated as a panacea for data protection compliance. Companies must conduct a rigorous assessment of the non-EU country`s data protection laws and practices, implement appropriate technical and organizational measures, and ensure that the SCCs are incorporated into the data transfer agreement. By doing so, companies can comply with the GDPR`s requirements for international data transfers and protect the privacy rights of their data subjects.