Preparing for the Final Version of the New EU Standard Contractual Clauses for International Data Transfers

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Cybersecurity

It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European data protection law since the coming into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, which was three years ago this month.  These new SCCs will replace prior versions of the SCCs, some of which date back to 2001 and pre-date the GDPR. We are closely monitoring developments in this area and will report on the new SCCs as soon as these are published. We expect the impact of these SCCs to be significant on organizations which are directly subject to the GDPR or which receive personal data from organizations that are subject to the GDPR.

As is well-known, SCCs are template data transfer agreements that allow data exporters in the European Economic Area (“EEA”) to transfer personal data to countries outside the EEA that the Commission treats as providing an “inadequate” level of data protection in accordance with the EU General Data Protection Regulation. (Countries in this category include Australia, Brazil, China, India and the United States.) The new SCCs comprise four different forms Controller-to-Controller, Controller-to-Processor, Processor-to-Controller, and Processor-to-Processor relative to only two forms in the current versions, namely Controller-to-Controller, Controller-to-Processor. Relative to the current SCCs, the new SCCs also impose substantially enhanced obligations on both data exporters and data importers to reflect both the coming into force of the GDPR in 2018 and the decision of the Court of Justice of the European Union in the Schrems II case in 2020.

Based on press reports, the final versions of the new SCCs may, at least in part, be substantially different from the draft versions published in December. For example, a longer period may potentially be offered to organizations to transition to the new SCCs from the existing SCCs. Many organizations also hope that the final versions of the new SCCs will help resolve certain tensions between the draft version from December and the European Data Protection Board’s guidance on Schrems II compliance (notably, whether organizations are allowed to adopt a risk-based approach to assessing data protection risks in the country of data import.)

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Cybersecurity | Attorney Advertising

Written by:

Proskauer - Privacy & Cybersecurity

Proskauer - Privacy & Cybersecurity on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.