Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
So what’s new? Among other changes, two of the biggest differences in these new “cross border” SCCs is the modular approach and provisions to address Schrems II. The new SCCs combine a set of non-negotiable, standard clauses, along with a modular approach, so companies can adapt the SCCs to different data transfer scenarios. The previous SCCs contemplated only two transfer scenarios: controller-to-controller transfers and controller-to-processor transfers. Now, the SCCs contemplate more realistic transfer situations, including Controller-to-Controller transfers (Module 1); Controller-to-Processor transfers (Module 2); Processor-to-Processor transfers (Module 3); and Processor-to-Controller transfers (Module 4). In relation to the Schrems II ruling, the new SCCs allow organizations to take a risk-based approach when assessing the possibility of (foreign) public authorities accessing the data under their local laws. This means, for example, that a data importer’s mere eligibility to receive data disclosure directions under Section 702 of the U.S. FISA Act should not automatically stop the ability to transfer data, if the parties can demonstrate that the likelihood of such disclosures is sufficiently low.
What’s the timing? The new cross-border SCCs can be used instead of the old terms starting June 27, 2021. From June 27, 2021 until September 27, 2021, both the “old” SCCs and the new SCCs can be used for new contracts. However from September 27, 2021 onwards, only the new SCCs can be used for new contracts. There is an 18 month grace period for existing contracts under the old SCCs. This means that by December 27, 2021 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.
So what is the second set of SCCs? The EC has also issued SCCs for transfers of information between controllers and processors. These clauses can be used by entities operating solely within the EU, and can be incorporated into a broader contract between the parties. Provisions include those contemplated under GDPR, including that processors will use information only as set forth in the SCCs, and will provide security for information processed. While companies are not required to use these controller-processor SCCs and could instead negotiate and include each of the elements required to be contained in a controller-processor agreement under GDPR, using these SCCs could make the contracting process simpler. (These SCCs do not contain cross-border provisions, which would still need to be addressed where relevant.)
Putting it into Practice. During this grace period, companies relying on old SCCs for cross-border data transfers should start inventorying existing arrangements and prepare to implement the new cross-border SCCs. Even though these new SCCs have been designed to largely address the requirements of Schrems II, companies will still need to assess whether the cross-border SCCs alone will suffice or whether any other additional measures are needed. For data importers in particular, this may include preparation of a transparency report and transfer impact assessments. With respect to intra-EU transfers between controllers and processors, companies can rely on these new SCCs to address GDPR obligations.