EU’s New Standard Contractual Clauses Go into Effect This Week

Burns & Levinson LLP

Burns & Levinson LLP

A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.

SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions of the SCCs, in part to address the shortcomings the Court identified.

The updated SCCs include a couple key innovations meant to address the Court’s concern that SCCs should not be “sign and forget” documents. First, the new versions of the SCCs adopt a flexible, modular approach that allows multiple parties to join and use the clauses with additional customization options to enable the SCCs to cover complex processing chains. In addition, the Commission will also release a practical toolbox meant to supplement the contractual provisions of the SCCs with operational guidance for organizations to safeguard personal information in an international transfer. For example, the toolbox will explore topics such as “supplementary measures” for data security, such as encryption.

The new SCCs become effective on June 14, 2021; however, any controllers and processors that are currently using previous versions of SCCs have a grace period of 18 months to transition to the newly approved SCCs.

If your organization currently relies on SCCs for its cross-border safeguard mechanism under the GDPR, you should begin the process of reviewing the updated SCCs and rolling out appropriate amendments to adopt the new versions of the SCCs for any agreements that will be in effect beyond the 18-month grace period. If your organization does not currently rely on SCCs for its cross-border safeguard mechanism, it may be worth exploring further whether SCCs may be an additional tool for your organization to rely on.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burns & Levinson LLP | Attorney Advertising

Written by:

Burns & Levinson LLP

Burns & Levinson LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.