On 4 June, the European Commission approved and adopted a new version of the Standard Contractual Clauses (SCCs). This is a welcome relief to many businesses that rely upon SCCs to safeguard international data flows that are an integral part of their daily operations. Here’s a quick guide to the new SCCs.
What are the new EU SCCs?
The purpose of the new EU SCCs is to help businesses legitimise the transfer of personal data originating in the European Economic Area (EEA) to any country outside the EEA whose data protection laws have not been found by the European Commission to offer adequate protection, commonly referred to as a “third country”.
Which relationships do they cover?
The new EU SCCs adopt a modular structure and cater for various types of transfers which reflect today’s more complex processing arrangements. Two welcome additions are processor-to-processor and processor-to-controller transfers which were not addressed by the previous SCCs. An optional “docking” clause allows additional parties to accede to existing processing arrangements.
What about Schrems II?
The new EU SCCs incorporate clauses that address concerns raised in Schrems II such as how parties can complete the transfer assessments for international transfers. Businesses can take a risk-based approach when assessing the local law of a third country and should consider the likelihood that any public authority would actually access personal data.
Do the new EU SCCs apply to transfers from the UK?
The UK has not formally recognised the new EU SCCs so they cannot be used to legitimise data transfers from the UK. The ICO has stated that it plans to adopt SCCs that are specific to the UK but, for the time being at least, businesses will need to continue to rely on the previous SCCs to safeguard transfers from the UK.
When can you use them?
Businesses can start using the new EU SCCs now but new contracts can continue to use the previous SCCs until 27 September 2021, after which the new EU SCCs must be used. That may allow businesses time to devise an implementation strategy, particularly where they need to safeguard transfers from the UK and the EEA. All contracts that involve data transfers from the EEA must have transitioned to the new EU SCCs by 27 December 2022.
What should you do now?
Any business that transfers data internationally should be taking the following steps:
Identify contracts that rely on SCCs: these could be existing contracts such as third party supply agreements or group processing arrangements, or standard form documents such as data processing agreements.
Devise an implementation strategy: Prioritise the contracts that must be transitioned to the new SCCs based on their risk profile. Existing contracts that use the previous SCCs will continue to be valid until 27 December 2022 so they may rank low on your list.
Watch for guidance from the UK: If your business operates in the UK and the EEA, it may be sensible to delay changes to contracts until such time as the ICO has offered guidance on the use of the new EU SCCs, or until UK specific SCCs have been adopted. Should neither of those happen by 27 September 2021, businesses should be prepared to use the previous SCCs for UK transfers and the new EU SCCs for EEA transfers.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.