It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European data protection law since the coming into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, which was three years ago this month.  These new SCCs will replace prior versions of the SCCs, some of which date back to 2001 and pre-date the GDPR. We are closely monitoring developments in this area and will report on the new SCCs as soon as these are published. We expect the impact of these SCCs to be significant on organizations which are directly subject to the GDPR or which receive personal data from organizations that are subject to the GDPR.

As is well-known, SCCs are template data transfer agreements that allow data exporters in the European Economic Area (“EEA”) to transfer personal data to countries outside the EEA that the Commission treats as providing an “inadequate” level of data protection in accordance with the EU General Data Protection Regulation. (Countries in this category include Australia, Brazil, China, India and the United States.) The new SCCs comprise four different forms Controller-to-Controller, Controller-to-Processor, Processor-to-Controller, and Processor-to-Processor relative to only two forms in the current versions, namely Controller-to-Controller, Controller-to-Processor. Relative to the current SCCs, the new SCCs also impose substantially enhanced obligations on both data exporters and data importers to reflect both the coming into force of the GDPR in 2018 and the decision of the Court of Justice of the European Union in the Schrems II case in 2020.

Based on press reports, the final versions of the new SCCs may, at least in part, be substantially different from the draft versions published in December. For example, a longer period may potentially be offered to organizations to transition to the new SCCs from the existing SCCs. Many organizations also hope that the final versions of the new SCCs will help resolve certain tensions between the draft version from December and the European Data Protection Board’s guidance on Schrems II compliance (notably, whether organizations are allowed to adopt a risk-based approach to assessing data protection risks in the country of data import.)

Photo of Kelly McMullon Kelly McMullon

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for…

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for her “responsiveness and practicality.”

Kelly assists clients in a variety of sectors including financial services, asset management, life sciences, fintech, consultancy, retail, sports, leisure and manufacturing in a wide range of contentious and non-contentious matters.

In her employment practice, she provides general day-to-day counselling and advice on all employment-related issues, including hires, terminations, grievances and redundancies, as well as the employment aspects of transactions.

In her data protection practice, Kelly provides strategic advice as well as practical support and guidance on all aspects of data protection compliance, including international transfers of personal data, data breaches, direct marketing and employee data protection concerns. She also provides advice on the data protection aspects of transactions.

Kelly also has experience working with businesses on CSR and ESG initiatives, human rights and modern slavery issues.

Kelly is a contributor to Proskauer’s International Labor and Employment Law and Proskauer on Privacy blogs and is the Editor for Proskauer on Privacy’s “International Data Privacy” chapter. She regularly provides training and speaks on employment and data protection issues.

Her pro bono experience includes counselling not-for-profit organizations on data privacy and employment-related issues.

Read more about Kelly McMullonEmail
Show more Show less