EU Commission publishes final versions of its new Standard Contractual Clauses
What is the impact of the new Standard Contractual Clauses (SCCs) on companies and data transfers?
The key takeaway
The new SCCs will become mandatory after 27 September 2021 for new agreements (ie the old SCCs can be used up until this date for new agreements). For pre-existing agreements using the old SCCs, there will be a transition period until 27 December 2022, after which the new SCCs will have to be incorporated.
The old SCCs came into force along with the General Data Protection Regulation (GDPR) in May 2018 and provide contractual clauses that are pre-approved by the EU that can be incorporated into contractual arrangements to enable compliance with international data transfer requirements.
Following the EU Court of Justice’s decision in Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems (Case C‑311/18) (Schrems II), the EU set out to update the old SCCs to enable lawful transfers of personal data to non-EU countries.
The key changes to the new SCCs include:
- one single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses. A new 'modular' approach gives greater flexibility for complex processing chains by offering the possibility for more than two parties to join and use the clauses, and
- a practical toolbox to comply with the Schrems II decision, giving an overview of the different steps companies have to take to comply with the decision. There are also examples of possible 'supplementary measures', such as encryption that companies can take where needed.
The two key dates to note are:
- new agreements: the old SCCs can be used until 27 September 2021, after which the new SCCs will become mandatory for all new agreements, and
- existing agreements: a transition period of 18 months for controllers and processors that are using the old SCCs in existing agreements, which will remain valid until 27 December 2022, provided processing operations remain unchanged and are subject to appropriate safeguards.
Why is this important? And what about Brexit?
The new SCCs provide companies with greater flexibility over data transfers, in particular in connection with complex processing chains. The new toolkit also enables easier compliance following the Schrems II decision to ensure that international data transfers are compliant with the GDPR.
In light of Brexit, however, the new SCCs do not form a part of retained EU legislation in the UK, and how far the UK’s Information Commissioner (ICO) officially adopts the new SCCs remains to be seen. The ICO is currently considering preparing the UK’s own bespoke SCCs (ie under the UK GDPR). In the meantime, UK businesses are left with a challenge, given that the ICO has previously stated that it only recognises the EU’s previous SCCs (valid as at 31 December 2021) as an adequate means of international data transfer from the UK. This means that (for now at least) those businesses are left with the need to continue using the old EU SCCs for transfers outside the UK and the new EU SCCs for transfers outside the EU.
Any practical tips?
- Review your existing data protection agreements and transfer arrangements to ensure that: (a) any processing operations remain unchanged and are subject to appropriate safeguards to benefit from the transition period (ie until 27 December 2022 for those agreements already using the old SCCs); and (b) you have a clear understanding as to which arrangements involve transfers outside the UK and which relate to transfers outside the EU
- For transfers outside the EU, ensure that the new SCCs are incorporated into your new data protection agreements where necessary (ie from 27 September 2021), and
- For transfers outside the UK, keep alert to developments within the UK and any potential divergence from the EU approach in relation to any UK SCCs.