On June 4, 2021, the European Commission (“EC”) published its final Implementing Decision adopting new Standard Contractual Clauses (“SCCs”) for the transfer of personal data outside the European Economic Area (“EEA”). Businesses and organizations that collect, process, or otherwise handle any EEA personal data (i.e., anything that can be used to directly or indirectly identify a natural person) will need to take steps to ensure that their data transfers are in compliance with the new SCCs and their related requirements. The revisions come into effect on June 27, 2021, but for those currently in compliance, this deadline may extend to December 27, 2022.
SCCs provide a legal basis under the General Data Protection Regulation (“GDPR”) to allow the transfer of personal data of individuals in the EEA to countries outside of the EEA that have not been deemed to have an adequate level of data protection. Because the EC has not deemed the United States to have an adequate level of data protection, and because the Court of Justice of the European Union (“CJEU”) recently invalidated EU-U.S. Privacy Shield as a self-certification transfer mechanism, the new SCCs will become a critically important personal data transfer mechanism for European and United States businesses and organizations.
To comply with this regulation, businesses and organizations who collect, process, or otherwise handle any EEA personal data should:
The EC adopted the new SCCs for several reasons. First, the original SCCs were written prior to adoption of the GDPR in 2018 and therefore do not fully address all of the GDPR’s data protection requirements. Second, the digital economy has seen significant developments and more complex processing operations involving multiple data importers and exporters, complex processing chains, and evolving business relationships, all of which have resulted in the need for general modernization of the SCCs. Third, and perhaps most significantly, the CJEU issued its Schrems II decision on July 16, 2020, which declared as invalid the EU-U.S. Privacy Shield personal data transfer mechanism for data transfers between the U.S. and the EEA. As part of the Schrems II decision, the CJEU also called into question the reliability of the original SCCs as a data transfer mechanism unless transfer impact assessments were conducted and “supplementary measures” implemented.
As a result, the new SCCs include substantial updates over the original SCCs. Among the changes, the new SCCs now include:
While the new SCCs come into effect on June 27, 2021, the EC has built in two grace periods whereby (i) the original SCCs can still be executed until September 27, 2021, and (ii) original SCCs that were executed prior to the September 27, 2021 date can still be relied upon as a valid data transfer mechanism until December 27, 2022. After December 27, 2022, the new SCCs must replace the original SCCs as a valid data transfer mechanism.