On June 4, 2021, the European Commission (EC) adopted a modernized set of standard contractual clauses for international data transfers (New SCCs) aimed at better protection of the data businesses transfer out of the European Union (EU). These New SCCs, which will take effect on June 27, 2021, will replace the standard contractual clauses that were adopted under the former EU Data Protection Directive in 2001, 2004 and 2010 (Previous SCCs).
The New SCCs were eagerly awaited due to the tremendous amount of uncertainty following the Court of Justice of the European Union’s (CJEU) decision in Schrems II in July 2020. They take into account the requirements laid out in that decision along with the requirements of the EU General Data Protection Regulation (GDPR), while also, according to the EC, “ensuring a high level of data protection for EU citizens” and addressing “the realities faced by modern business.”
Companies should be aware of the following key items when assessing and implementing the New SCCs:
- Transition period of up to 18 months: Companies entering into new agreements have until Sept. 27, 2021, to commence using the New SCCs. At the same time, companies can continue to rely on the Previous SCCs in existing agreements until Dec. 27, 2021. During that time period, data controllers and processors will need to complete a review and renegotiate or repaper existing agreements to fully migrate to the New SCCs.
- Additional transfer scenarios: The New SCCs address the following four data transfer scenarios:
- Controller to controller;
- Controller to processor;
- Processor to processor; and
- Processor to controller (which is a significant difference to the Previous SCCs that expressly only addressed the first and the second scenarios).
- Modular basis: The New SCCs consolidate all four model terms mentioned above into one document, an approach that allows controllers and processors to select the relevant clauses that apply on a modular basis. However, there are various decision points to make when implementing the New SCCs due to this approach, which means adopting the New SCCs requires more effort than simply swapping out the Previous SCCs.
- Docking clause: The New SCCs provide for multi-party use, including an optional “docking” clause which allows new parties to be added over time.
- Article 28 GDPR processor terms: The New SCCs contain Article 28 GDPR compliant terms that need to be considered in a company’s standard data processing agreement that currently implements the Previous SCCs.
- Provision addressing Schrems II requirements: The New SCCs include an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible supplementary measures (e.g. encryption), or the requirement to carry out and document a transfer impact assessment of the laws of the third country that may be required to ensure a level of protection for the data that is essentially equivalent to the one afforded in the European Union.
A link to the New SCCs and the implementing decision may be found on the European Commission’s webpage.
Companies should consult with legal counsel to ensure they are complying with the New SCCs.