On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous standard contractual clauses were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here).
The following are some key differences between the old and new SCCs:
United Kingdom’s SCCs
Notably, the new SCCs are not automatically applicable in the UK, but organizations may continue to use the existing SCCs for data transfers made from the UK. The UK Information Commissioner’s Office is currently working on its own version of SCCs for personal data transfers out of the UK and intends to consult on and publish a draft this year.
The new SCCs will go into effect on June 27, 2021—20 days following their publication in the Office Journal of the European Union on June 7. The old SCCs will be repealed three months after the effective date of the new SCCs, but organizations may continue to use the old SCCs, even for new transfers, until they are repealed. Controllers and processors that have the old SCCs in place before the date of repeal may continue to use them for existing data transfers for an additional 15 months—meaning that such organizations have until December 2022 to switch to the new SCCs.