Cross-Border Data Transfers: Privacy Shield vs. SCCs

Transferring personal data internationally is a legal minefield under GDPR rules. Businesses face two main options for compliance: Privacy Shield (now invalidated) and Standard Contractual Clauses (SCCs). Here's the core difference:

• Privacy Shield: A simplified, self-certification framework for EU-U.S. data transfers, invalidated in 2020 due to U.S. surveillance laws.
• SCCs: Legal agreements that enforce EU-level data protection globally, requiring businesses to conduct Transfer Impact Assessments (TIAs) for compliance.

Privacy Shield's downfall stemmed from U.S. government access to data under FISA 702 and lack of remedies for EU citizens, while SCCs remain valid but demand more effort, including risk assessments and safeguards like encryption. SCCs are now the go-to solution for global data transfers, especially where no adequacy decision exists.

Quick Comparison

If you're handling international data transfers, SCCs are your safest bet - just be ready for the extra compliance work. Using multi-step form design can help streamline the collection of necessary compliance data from users.

Privacy Made Easy Series : Cross Border Transfer

sbb-itb-5f36581

What is Privacy Shield?

Privacy Shield was a framework designed to simplify the transfer of personal data between the European Union (EU) and the United States. Officially launched on July 12, 2016, it replaced the earlier International Safe Harbor Privacy Principles, which had been invalidated in 2015. The goal of Privacy Shield was to harmonize privacy laws between the EU and the U.S., ensuring that data transfers complied with EU data protection standards while supporting transatlantic commerce.

At its height, around 5,000 U.S. companies relied on Privacy Shield to manage data transfers from the EU. However, the framework was short-lived. On July 16, 2020, the Court of Justice of the European Union (CJEU) struck it down in the Schrems II decision, citing fundamental conflicts between U.S. surveillance laws and EU privacy requirements.

How Privacy Shield Worked

Privacy Shield operated on a self-certification basis. U.S. companies voluntarily pledged to follow seven key privacy principles, which were monitored by the U.S. Department of Commerce. These principles were:

• Notice: Informing individuals about data collection and use.
• Choice: Offering options to limit data sharing.
• Accountability for Onward Transfer: Ensuring data protection when shared with third parties.
• Security: Protecting data against breaches.
• Data Integrity and Purpose Limitation: Using data only for specified purposes.
• Access: Allowing individuals to access and correct their data.
• Recourse, Enforcement, and Liability: Providing ways to resolve disputes and enforce compliance.

A unique feature of Privacy Shield was the Ombudsperson mechanism, which aimed to address complaints from EU citizens about U.S. government access to their data. Despite these safeguards, unresolved legal issues ultimately led to the framework’s invalidation.

Why Privacy Shield Was Invalidated

The CJEU invalidated Privacy Shield due to concerns over U.S. surveillance practices, particularly under FISA Section 702 and Executive Order 12333. These laws allowed extensive government access to personal data, which the court found incompatible with EU privacy standards.

"The limitations on the protection of personal data arising from the domestic law of the U.S. on the access and use by U.S. public authorities... are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law." - Court of Justice of the European Union (CJEU)

The court also criticized the Ombudsperson mechanism for lacking independence from the U.S. executive branch and for being unable to issue binding decisions against intelligence agencies. Another major issue was the lack of judicial remedies for EU citizens in U.S. courts, violating Article 47 of the EU Charter on Fundamental Rights. Despite the invalidation, the U.S. Department of Commerce emphasized that companies’ previous Privacy Shield commitments remained enforceable by the Federal Trade Commission.

What are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses (SCCs) are preapproved legal templates from the European Commission. They allow businesses to transfer personal data from the European Economic Area (EEA) to countries outside the EU while ensuring that privacy protections meet EU standards. Essentially, SCCs act as a legal agreement requiring data recipients in other countries to uphold EU-level data privacy, even if their local laws are less strict . After the invalidation of the Privacy Shield framework, SCCs have become the go-to solution for international data transfers.

Unlike the Privacy Shield, which was a government-to-government arrangement, SCCs are direct agreements between organizations. They are globally applicable, don’t require government approval, and offer a straightforward way to comply with EU data protection standards. While Privacy Shield relied on self-certification, SCCs provide a more structured and enforceable approach. In fact, a 2019 survey revealed that 88% of respondents used SCCs as their primary method for international data transfers.

The European Commission updated SCCs on June 4, 2021, introducing a modular format. These modernized SCCs replaced older versions, which became invalid on December 27, 2022. Organizations still using outdated templates after this date face significant compliance risks .

Key Features of SCCs

The 2021 SCCs are designed with flexibility in mind, offering four modules tailored to specific data transfer relationships. Companies can select the module that best fits their situation:

One standout feature is the "docking clause" (Clause 7), which allows additional parties to join an existing SCC agreement without drafting new contracts. Each SCC also includes detailed annexes that outline the parties involved, the type of data being transferred, the purpose of the transfer, retention periods, and the technical and organizational security measures in place. These annexes are critical for compliance .

Compliance Requirements After Schrems II

The Schrems II decision introduced stricter requirements for SCCs. They are no longer a simple "sign-and-forget" solution. Now, organizations must actively evaluate whether the destination country’s laws could undermine the privacy protections outlined in the SCCs.

"The parties to the SCCs must now carry out a 'transfer impact assessment' documenting the specific circumstances of their transfer, the laws in the country of destination and the additional safeguards they put in place." - European Commission

This process, known as a Transfer Impact Assessment (TIA), requires companies to assess risks posed by destination country laws, such as those under FISA Section 702 in the U.S. If risks are identified, they must implement additional safeguards like end-to-end encryption or pseudonymization.

Additionally, SCCs require data importers to notify exporters about any binding requests from public authorities for data access and to challenge any requests that appear unlawful.

Adopting the modernized 2021 SCCs has brought measurable benefits. Companies reported an 82% improvement in data access controls and a 40% reduction in compliance issues. However, adapting to these changes hasn’t been without challenges - 68% of firms in a 2023 survey had to overhaul their processes to better monitor international data flows.

Privacy Shield vs. SCCs: Direct Comparison

Main Differences

Privacy Shield and Standard Contractual Clauses (SCCs) take very different approaches to handling international data transfers. Privacy Shield was a self-certification program specifically designed for EU-U.S. data transfers, requiring U.S. companies to certify compliance with specific privacy standards. In contrast, SCCs are legally binding agreements that can be used for transferring data to any country outside the European Economic Area (EEA) without an adequacy decision.

The key distinction lies in their current legal standing. Privacy Shield was invalidated by the Court of Justice of the European Union in July 2020. SCCs, while still valid, now demand more than just signing a contract; organizations must also conduct a Transfer Impact Assessment (TIA). These differences shape how each mechanism is used and its relevance in various scenarios.

Trade-Offs and When to Use Each

The differences between Privacy Shield and SCCs highlight a trade-off between simplicity and compliance rigor. Privacy Shield relied on straightforward annual re-certifications, without requiring companies to assess local surveillance risks. On the other hand, SCCs demand much more effort upfront. Companies must draft detailed contracts, fill out annexes, and conduct TIAs. However, SCCs offer a broader range of use cases and better legal reliability.

With the introduction of the EU-U.S. Data Privacy Framework on July 10, 2023, organizations now have a simpler option for EU-U.S. data transfers that doesn’t require a TIA. Even so, SCCs remain essential for data transfers to other countries like China, India, or Brazil.

When to Use SCCs and How to Stay Compliant

Common Use Cases

Standard Contractual Clauses (SCCs) are ideal for transferring data to countries that lack an adequacy decision from the European Commission. Thanks to their modular design, SCCs can adapt to various business relationships. For example, a German e-commerce store transferring data to a U.S.-based cloud provider would typically use Module 2 (Controller-to-Processor). On the other hand, an EU medical lab sharing clinical trial results with a U.S. pharmaceutical company would rely on Module 4 (Processor-to-Controller).

If your partner for EU–U.S. data transfers isn’t certified under the Data Privacy Framework (DPF), SCCs require you to perform a comprehensive Transfer Impact Assessment (TIA). For transfers to countries outside frameworks like the DPF, SCCs remain the go-to solution.

With these scenarios in mind, here’s how to ensure compliance while using SCCs.

Steps for Maintaining Compliance

To stay compliant, start with a rigorous Transfer Impact Assessment. This means identifying every instance of data transfer outside the European Economic Area (EEA), including transfers involving sub-processors. Then, select the SCC module that matches your relationship with the data importer. A 2023 survey revealed that 68% of companies had to implement new processes to monitor their international data flows.

Next, evaluate whether the destination country’s laws - such as U.S. FISA 702 - could compromise the protections offered by SCCs. If the TIA uncovers risks, you’ll need to put additional safeguards in place. One effective measure is end-to-end encryption, ensuring only you control the encryption keys. You can also consider factors like the absence of prior government data requests as part of your risk assessment.

"Modern data ecosystems demand dynamic protections rather than static paperwork."
– European Data Protection Board Member

Conclusion

Privacy Shield and Standard Contractual Clauses (SCCs) take different paths to ensure compliance with EU–U.S. data transfers. Privacy Shield relied on self-certification, while SCCs use standardized legal contracts to facilitate global data transfers where no adequacy decision is in place.

On July 16, 2020, the Court of Justice of the European Union struck down Privacy Shield, citing concerns about U.S. surveillance practices. However, SCCs were upheld as a valid mechanism under the Schrems II ruling, making them a more legally durable option - albeit with a higher compliance burden.

The main difference lies in the compliance effort required. Privacy Shield involved annual self-certification without detailed risk analysis. In contrast, SCCs demand a Transfer Impact Assessment (TIA) for each transfer, along with additional safeguards like encryption to address risks. The updated 2021 SCCs introduced a modular structure, offering much-needed flexibility for complex business arrangements. These changes highlight the shifting requirements for protecting data across borders.

"Standard Contractual Clauses (SCCs) serve as a dependable safeguard - regulated by strict EU standards - to ensure that personal data flows securely to the U.S." - US Law Explained

Although the EU–U.S. Data Privacy Framework was introduced in July 2023, many organizations still rely on SCCs as a backup, given the potential for legal challenges. SCCs remain a globally applicable, court-tested solution, provided they are paired with thorough risk assessments and strong technical measures. For businesses, the challenge lies in balancing compliance demands with effective risk management, reflecting the broader struggle to find the right tools for international data transfers.

FAQs

Do I still need SCCs if I use the EU–U.S. Data Privacy Framework?

Yes, Standard Contractual Clauses (SCCs) are still necessary, even with the introduction of the EU–U.S. Data Privacy Framework (DPF). While the DPF streamlines data transfers to the U.S. under certain conditions, SCCs remain crucial for situations that fall outside the DPF’s coverage or when extra protections are required. They continue to serve as a reliable and widely accepted method for ensuring compliance in broader cross-border data transfer cases.

What should a Transfer Impact Assessment (TIA) include?

A Transfer Impact Assessment (TIA) focuses on analyzing the legal, regulatory, and technical landscape of the destination country where data is being transferred.

Key factors to consider include:

• Legal Framework: Does the country's legal system provide adequate protections for personal data?
• Government Surveillance Practices: Are there laws or practices that could allow excessive access to the data by government authorities?
• Data Access Laws: How do local laws regulate access to the transferred data?

Additionally, the TIA should evaluate whether safeguards like Standard Contractual Clauses (SCCs) and technical measures (e.g., encryption) are sufficient to protect the data. This is especially critical in light of the Schrems II ruling, which heightened the scrutiny around international data transfers and compliance with data protection authorities' standards.

Which SCC module should I use for my vendor or sub-processor?

To pick the right SCC module, first figure out if your vendor or sub-processor is operating as a controller or a processor. Once you know this, choose the module that fits your data transfer situation: Controller-to-Controller (C2C) or Controller-to-Processor (C2P). These updated SCCs are pre-approved and help meet compliance requirements for transferring data from the EU/EEA to organizations outside that area. Make sure the module aligns with your specific contractual relationship.

Related Blog Posts

• SCC Challenges After Schrems II: What to Know
• How to Navigate Global Data Transfer Laws
• Key Compliance Requirements for Vendor Data Transfers
• EU Court Cases on Data Transfer Violations: Lessons