On June 4, 2021, the European Commission (“EC”) adopted two new sets of new Standard Contractual Clauses (“SCCs”) to replace those that the EC had adopted in 2001 and 2010 under the now-repealed Data Directive.  The new SCCs are intended to satisfy the requirements of the General Data Protection Regulation, which became effective in 2018.  One of the two sets is for use between data controllers and processors.  The other set is for the transfer of data to third countries that do not meet the General Data Protection Regulation’s (“GDPR”) requirements for an adequate level of data protection.  Companies have eighteen months to bring their existing SCCs into conformity with the new requirements, which means they must effect several changes in current practices.  While companies have some time to incorporate the new SCCs into existing transfers, it is important for companies to start preparing their new model contracts to ensure a smooth transition.

Background: Transfers of personal data to countries outside the European Economic Area (“EEA”) must meet certain requirements and protections under the GDPR.  In cases where the third country does not provide an adequate level of data protection (as determined by the EC), SCCs have been the most commonly used safeguard.  In July 2020, the Court of Justice of the European Union dealt with a challenge to SCCs and ultimately invalidated the EU-U.S. Privacy Shield but stopped short of disallowing SCCs as they existed at that time (“the Schrems II decision”).  As a condition of allowing SCCs to continue to cover international transfers, the Schrems II decision noted that companies must verify, prior to the transfer of personal data pursuant to an SCC, whether there were sufficient safeguards in place to ensure the protection of personal data.  As noted, the EC was already reviewing SCCs in light of the GDPR’s requirements and redoubled its efforts following Schrems II.  It has now published its final version of the new SCCs.

Key Changes to the New SCCs: There are several important changes to the new SCCs, which include:

  • Modular Approach: In contrast to the old SCCs, which only applied to controller-to-controller and controller-to-processor transfers outside the EEA, the new SSCs include different modules that parties may select and complete depending on the type of transfer.  The modules now include (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-(sub)processor, and (iv) processor-to-controller transfers.  The modular approach allows parties to address various transfer scenarios and the growing complexity of processing chains.
  • Multi-party SCCs: The new SCCs provide the ability of multi-party SCCs.  In addition, the new SCCs allow for change over time by including arrangements for new parties to accede to the SCCs through a “docking clause.”  
  • No Separate Data Processing Agreement: Entering into the new SCCs will eliminate the need for the controller to impose separate contractual measures on the processor to comply with the controller’s obligations under Article 28 of the GDPR, thereby simplifying negotiations and reducing paperwork for future transfers.
  • Data Subject Rights: Data subjects are given the ability to enforce several provisions of the new SCCs against both the data exporter and the data importer.
  • Security Measures: An obligation that clauses be drafted to include technical and organizational measures that the data importer must carry out, including, among other things, IT security governance and management, pseudonymization and encryption, data avoidance and minimization, and protection of data during transit and storage.
  • Transfer Impact Assessment: The new SCCs require the parties to conduct a “transfer impact assessment” to determine whether the laws of the importing country have adequate data protections for a lawful transfer.  Notably, a finding of inadequate protection will require the parties to enact supplementary measures, such as encryption.  The European Data Protection Board likely will provide further guidance on the scope of the transfer impact assessments.

Timeframe: The EC did provide a grace period to adjust to the new SCCS, enabling companies to rely on the old SCCs for new transfers for the next three months.  Likewise, existing transfers can continue to remain on the old SCCs for eighteen months.

Looking Ahead: Companies should start preparing to adopt the new SCCs.  A few things to consider:

  • Reassess data mapping to fully understand where any personal data is coming from or being transferred to
  • Identify and categorize existing transfers (i.e., controller-to-controller, processor-to-controller)
  • Conduct transfer impact assessments
  • Perform due diligence on customers or vendors
  • Amend applicable contracts to incorporate the new SCCs
  • Update model contracts to incorporate new SCCs

As noted, companies have a three-month (for new transfers) or eighteen-month (for existing transfers) grace period to incorporate the new SCCs into existing transfers.  It is encouraged that companies begin taking the necessary steps to develop their new model contracts to ensure a smooth transition.

For additional information on this topic, please contact David Shonka at dshonka@redgravellp.com