On June 4, 2021, the European Commission adopted new sets of Standard Contractual Clauses (New SCCs) that organizations can use when transferring personal data protected by the General Data Protection Regulation (GDPR) to countries outside the European Union (EU). The New SCCs were long overdue, but their issuance creates a number of tasks for the multitude of organizations that have used the current versions of the SCCs to lawfully transfer personal data from the EU to non-EU countries in the years since the GDPR went into effect.
The prior versions of standard contractual clauses that the New SCCs will replace were issued in 2004 (controller-to-controller) and 2010 (controller-to-processor), well before the drafting and implementation of the GDPR. Nevertheless, those standard contractual clauses have been critically important for compliance with the GDPR. The GDPR provides that transfers of personal data from the EU to a third country (such as the United States) are prohibited by default unless adequate safeguards for the data are implemented. The SCCs provide such safeguards, and the prior versions were used widely for cross-border data transfers since the GDPR became effective in May of 2018. The New SCCs represent a substantial overhaul of the prior versions, implementing updated safeguards to align with those afforded by GDPR and also addressing concerns raised by the Court of Justice of the European Union in its Schrems II ruling last summer, which invalidated the EU-U.S. Privacy Shield and questioned the adequacy of other protective measures for transfers of personal data to third countries including the U.S.
The New SCCs offer more flexibility to make data transfers compliant with the GDPR. The parties choose the module that is applicable to the relationship between the parties and use the clauses specific to that module. The New SCCs offer four modules that can be used for data transfers from:
- One controller to another controller (C2C)
- A controller to a processor (C2P)
- One processor to another processor (P2P)
- A processor to a controller (P2C)
Under the GDPR, a data controller is the entity that determines the purposes and means of the processing of personal data, while a data processor only processes personal data on behalf of, and at the direction of, a controller. The old SCCs lacked this flexibility and did not account at all for processor-to-processor or processor-to-controller data transfers.
Timeline for the Transition
- Organizations can begin to enter into the New SCCs on June 27, 2021.
- Organizations may continue to enter into contracts using the old SCCs for three months until September 27, 2021.
- Contracts incorporating the old SCCs have an 18-month transition period to enter into the New SCCs, with a final deadline of December 27, 2022.
After September 27, 2021 and through the transition period, the old SCCs are still valid but organizations may not enter into new contracts with the old SCCs.
How do the New SCCs impact data transfers involving entities in the U.K.?
Since the United Kingdom departed the European Union on January 31, 2020, numerous questions have arisen about the U.K.’s relationship with the EU for GDPR purposes. On May 5, 2021, the U.K. Information Commissioner’s Office (ICO) announced that it is working on a bespoke set of its own SCCs to be used when transferring data protected by the U.K’s data protection law to countries outside the U.K. The ICO intends to release a draft version of these SCCs for public consideration in summer 2021. The ICO will also consider whether to permit entities to use the EU’s New SCCs for such transfers. At this time, accordingly, the New SCCs established by the EU are not valid for restricted transfers from the U.K. Organizations may continue to use the old EU SCCs for transfers from the U.K. to non-EU countries until the ICO issues its bespoke SCCs and/or the ICO approves the New SCCs. The ICO has created U.K. versions of the old SCCs so that they make sense in a U.K. context.
In light of the potentially divergent approaches to the SCCs taken by the EU and the U.K., organizations may need to enter into multiple sets of SCCs with its service providers and customers depending upon where the data subjects are located. Organizations should look out for the ICO’s bespoke U.K. SCCs and guidance from the EU regulatory authorities on the New SCCs later this year.
Organizations should review their service provider and customer contracts to create a plan for (once again) revising their contracts to enter into the New SCCs by December 27, 2022. For service providers that process U.K. and EU personal data—and until the ICO publishes their bespoke SCCs and/or issues a decision on the New SCCs—organizations should ensure they have the old SCCs (or the U.K. versions) in place to cover U.K. personal data.