Today, 4 June 2021, the European Commission published its final decision on standard contractual clauses for the transfer of personal data to “third countries” pursuant to the GDPR. The decision includes the final version of the new standard contractual clauses (SCCs) for this purpose. The new SCCs are long-awaited, following the introduction of the GDPR three years ago and a ruling in 2020 from Europe’s top court (Schrems II) invalidating the EU-U.S. Privacy Shield data transfer scheme as well as raising concerns with current SCCs.
The decision shall enter into force on the twentieth day following that of its publication. The current SCCs are repealed three months after that, with a further 15-month grace period included in the decision during which the current SCCs may still be relied on.
The New SCCs
The new SCCs adopt a modular approach. There is only one Annex with one “set” of clauses, further split into “modules” depending on the relationship between the parties (including the previously covered arrangements of transfers from “controller “to controller”, and “controller to processor”, along with new “processor to processor”, and “processor to controller” provisions). It is for organisations to then select the appropriate modules to be incorporated into the data transfer agreement. This differs significantly from the current approach, in which the relevant SCCs were contained in different decisions, depending on the relationship between the parties.
Another key addition in the new SCCs, is the introduction of the optional Section 1 Clause 7 which allows a new entity, that was not originally a party to the clauses, to accede to the agreement (either as a data exporter or as a data importer).
Some other key changes in the new SCCs are as follows:
Owing to the modular approach of the new SCCs, and the incorporation of a number of provisions previously reserved for the overarching agreement, the repapering exercise needed by businesses will require some detailed considerations and will need to go beyond simply swapping out current SCCs for the new ones as an appendix to any DPA or DTA.
Businesses should act now. A project plan should be initiated for updates to agreements, and businesses should not be lulled into a false sense of security by the short implementation period available. Equally, care should be taken to consider the new clauses carefully and not rush changes but rather tailor them to the business properly, as there is more scope to get this wrong with the new SCCs.