Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.

Visual

Implications

  • Initial cross-border transfer from the EEA to the US utilizes the SCC Module 1 designed for transfers from a controller to another non-EEA Controller (1st SCC).
  • Pursuant to Section 8.7 of the 1st SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). Note that the parties could decide to enter into a single SCC Module 1 with Company A, Company B, and Company C as signatories.
  • Note that if Company C makes any additional onward transfers the appropriate module of the SCCs would also need to be used.
  • Note that Section 14 of the SCCs require (Company A and Company B) to conduct a transfer impact assessment (TIA) of United States law to determine whether either party has reason to believe that the laws and practices of the United States that apply to the personal data transferred prevent Company B from fulfilling their obligations under the SCCs.
  • Note that Section 14 of the SCCs require (Company B and Company C) to document a TIA of Country X’s law to determine whether either party has reason to believe that the laws and practices of that country prevent Company C from fulfilling its obligations under the SCCs.
  • Note that Section 15 of the SCCs require that Company B and Company C take specific steps in the event that they receive a request from a public authority for access to personal data. As a result, Company B and Company C might be expected to implement a written law enforcement request policy.