On June 4, 2021, the European Commission issued two new sets of standard contractual clauses (“SCCs”) for data transfers in the EU/EEA and outside of the EU/EAA. Standard contractual clauses are contract addendums that have been pre-approved by the European Commission, establishing data protection safeguards for data transfers between EU and non-EU countries.
These new SCCs take into account the Data Protection Commission v. Facebook Ireland, Schrems decision from July 2020. The landmark decision invalidated the EU-US Privacy Shield Frameworks designed to create a GDPR-complaint basis for international data transfers from the EU to the US.
The two new sets of SCCs, one for international transfers and one for controllers and processors in the EU/EEA, will replace three previous sets, while providing an “easy-to-implement template” that will “offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers,” as noted by the European Commission.
According to the European Commission, there are four significant changes within the new SCCS:
- Update in line with the General Data Protection Regulation (GDPR);
- One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary
The new SCCs became effective on June 27, 2021. However, companies may still use the old SCCs until September 27, 2021. Additionally, companies will have a grace period until December 27, 2022 to switch prior data processing agreements using the old SCCs to the new SCCs. Effectively, what this means is that contracts being negotiated right now and are finalized before September 27 can use the old SCCs. But, any contracts with terms beyond December 2022 will eventually be replaced with the new SCC.
The European Data Protection Board also adopted a final version of the Recommendations on supplementary measures, which aims to provide EU controllers and processors with supplementary protective measures to assess data transfers to third countries and implement effective, lawful transferring.
Among the main modifications to the guide are:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool;
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.