The current expectation is that the European Commission will issue the new SCCs in two weeks’ time (though this could be subject to delay).
On 12 November 2020, the European Commission published a revised set of draft standard contractual clauses for the transfer of personal data from the European Union to third countries (the “Revised SCCs”). A public consultation on the Revised SCCs was also opened on the same date, and closed on 10 December 2020. As part of the broader consultation process, the European Data Protection Board (the “EDPB”) and the European Data Protection Supervisor (the “EDPS”) on 15 January 2021 issued a joint opinion on the Revised SCCs and the European Commission’s draft implementing decision, which, in addition to lauding many of the features of the Revised SCCS, also indicated that the additional protections to be introduced in wake of the Schrems II judgment (case C-331/18) (the “Supplementary Measures”) should still be considered when evaluating cross-border transfers. The implementing decision, therefore, suggested that the Revised SCCs should be reviewed alongside the EDPB’s final form Recommendations on Supplementary Measures, given the interplay between the two documents.
In order for the Revised SCCs’ implementing decision to be adopted, a positive vote of the EU member states is required through the “comitology” procedure, which requires the European Commission to consult a committee in which each EU member state is represented. On 19 May 2021 the EU member states provided an opinion via the comitology procedure, unanimously endorsing the Revised SCCs. The final form Revised SCCs are expected to be adopted by the Commission in the next two weeks and will enter into force not long after, following their publication in the Official Journal.
From the date of publication, all new contracts which seek to rely upon standard contractual clauses for transferring personal data must incorporate this updated version. With respect to contracts entered into prior to publication of the Revised SCCs, there will be a limited “grace period” (currently expected to be one year) for bringing agreements into compliance through the much anticipated “repapering” exercise. Consequently, companies should take steps to begin incorporating the Revised SCCs into their privacy programs so that they do not face delays in implementing new contracts or transitioning all current agreements before the end of the grace period.
Our briefing on preparing for the SCCs can be found here.