The European Commission (“EC”) has adopted a long-awaited new set of standard contractual clauses (“SCCs”) for the transfer of personal data to parties in third countries outside the European Union (“EU”) and European Economic Area (“EEA”) that have not been found by the EU to have “adequate” data protection laws.
Under the EU’s General Data Protection Regulation (“GDPR”), companies are prohibited from transferring personal data out of the EU to a third country, unless certain safeguard mechanisms are in place. SCCs are one such mechanism commonly used to facilitate the transfer of personal data out of the EU. In July 2020, another commonly used mechanism, the EU-U.S. Privacy Shield, was invalidated by the Court of Justice of the European Union (“CJEU”) in its “Schrems II” decision (previously discussed here). In the same decision, the CJEU cast doubt on the version of SCCs in place at the time, suggesting that, on a case-by-case basis, “supplementary measures” may be required.
The prior SCCs were adopted before the GDPR took effect in 2018. The new set of SCCs is intended to update the prior version and address the shortcomings about which the CJEU expressed concern in Schrems II.
Adoption of the new SCCs will require organizations relying on SCCs to incorporate the new SCCs into their contracting process for new processing activities and also revise existing agreements that utilize the old SCCs. This could be a substantial undertaking for many organizations.
For new data transfer agreements entered on or before September 27, 2021, organizations can continue to use the old SCCs (recognizing they will eventually need to be replaced with the new SCCs; see next paragraph). This three-month grace period will give organizations time to review and come into compliance with the new SCCs. The new SCCs can be used before that date if the parties prefer.
For existing data transfer agreements, organizations must replace the old SCCs with the new SCCs by December 27, 2022. At the end of this 18-month grace period, organizations will need to have updated their contracts to reflect the new SCCs (recognizing that Schrems II may require additional measures in the interim). Also, if the processing operations that are the subject of the contract change during this grace period, the new SCCs must be used from that point forward.
In the meantime, the EU and the U.S. have stated they are “intensifying” negotiations on an enhanced EU-U.S. Privacy Shield framework.