Updated Standard Contractual Clauses for Data Transfers
The European Commission has adopted final versions of new standard contractual clauses for use in data transfers involving European Economic Area states.
Under the General Data Protection Regulation (GDPR), the European Commission may approve Standard Contractual Clauses (SCCs). These may be inserted by companies into their contractual agreements involving data transfers, ensuring their compliance with GDPR data protection obligations. The European Court of Justice confirmed that SCCs effectively protect personal data in Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (Schrems II). You can read more on that judgment here.
There were three sets of SCCs previously adopted under the Data Protection Directive 95/46. However, following a public consultation in November 2020, the European Commission has now introduced two new sets of SCCs, to replace those three sets from the Data Protection Directive 95/46. The first set of SCCs is for use in the transfer of personal data from European Economic Area (EEA) countries to third countries, while the second set of SCCs is to be used in agreements between data controllers and processors within the EEA.
The new SCCs are intended to act as an easy to implement template for ensuring data protection compliance, while also addressing the realities faced by modern businesses. The new SCCs have been updated in line with the GDPR and are intended to provide businesses with more flexibility for complex processing chains, using what the European Commission have described as a “modular approach”. In particular, the new SCCs have been drafted with the possibility of more than two parties to an agreement in mind. Additionally, these new SCCs have been referred to by the European Commission as a “practical toolbox” for ensuring compliance with the Schrems II judgment. The SCCs provide examples of the various “supplementary measures” considered by the European Court of Justice in Schrems II, such as encryption.
If you are a data controller or processor operating in the EEA, and you are currently using the old sets of SCCs, you have a transition period of 18 months in which to adopt the new SCCs. Contracts incorporating the old SCCs will still be valid until 27 December 2022, provided these contracts have been entered into before 27 September 2021. This will pose a significant administrative challenge for EEA data exporters and importers, who will have to update their contracts within the transition period.
For UK companies, the new SCCs will not form part of retained EU law. It will be for the UK legislature to determine whether these SCCs will be adopted through new regulations under the Data Protection Act 2018. The Information Commissioner’s Office is in the process of drafting its own SCCs under the UK GDPR, with a consultation set to take place later this Summer.