On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).
The following are some key differences between the old and new SCCs:
- Modules. The new SCCs have a “modular” structure that allow parties to choose among four transfer scenarios that may be applicable to the transfer:
- Controller to controller;
- Controller to processor;
- Processor to processor; and
- Processor to controller.
- Additional Parties. Whereas the prior SCCs only allowed for controller-to-controller or controller-to-processor transfers, the new SCCs also allow for processor-to-processor transfers and processor-to-controller transfers. The new SCCs also permit multiple parties to contract and allow for the addition of new parties, beyond the initial signatories, over time.
- Territorial Scope and Article 28. The new SCCs recognize that data exporters based outside of the EU may use the new SCCs. Additionally, where the processing involves data transfers from controllers or processors subject to the GDPR to processors outside of the GDPR’s territorial scope, the new SCCs also fulfill the data processing contractual requirements in Article 28(3) and (4) of the GDPR.
- Schrems II Assessment. The new SCCs also incorporate changes to address the Court of Justice of the European Union’s Schrems II decision. Among other things, the SCCs require organizations who export personal data outside the EU to assess, in particular: (i) the specific circumstances of the transfer (such as the content and duration of the contract, the nature of the data to be transferred, the type of recipient, the purpose of the processing); (ii) the relevant laws and practices of the destination country; and (iii) any safeguards put in place to supplement those under the SCCs (including relevant contractual, technical and organizational measures applying to the transmission of personal data and its processing in the destination country). This assessment must be documented and made available to the competent supervisory authority on request.
United Kingdom’s SCCs
Notably, the new SCCs are not automatically applicable in the UK, but organizations may continue to use the existing SCCs for data transfers made from the UK. The UK Information Commissioner’s Office is currently working on its own version of SCCs for personal data transfers out of the UK and intends to consult on and publish a draft this year.
The new SCCs will go into effect on June 27, 2021—20 days following their publication in the Office Journal of the European Union on June 7. The old SCCs will be repealed three months after the effective date of the new SCCs, but organizations may continue to use the old SCCs, even for new transfers, until they are repealed. Controllers and processors that have the old SCCs in place before the date of repeal may continue to use them for existing data transfers for an additional 15 months—meaning that such organizations have until December 2022 to switch to the new SCCs.