European Commission Adopts New SCCs for Transfer Outside EU
On June 4, 2021, the European Commission adopted new sets of Standard Contractual Clauses (“New SCCs”) that organizations can utilize to transfer GDPR-protected personal data protected to countries outside the European Union (“EU”). The New SCCs should be reviewed by all privacy professionals who previously utilized the existing SCCs for purposes of their data transfer framework from a GDPR perspective.
A Brief History of SCCs
The prior versions of standard contractual clauses (“Old SCCs”) that the New SCCs will replace were issued in 2004 and 2010; light-years ago in terms of technological development and years prior to the drafting and implementation of GDPR. Still, companies have relied heavily on the Old SCCs as they related to GDPR compliance as they provided what was previously considered to be a GDPR-compliant mechanism for transfers of data to companies outside of the EU and GDPR protections. This is because the GDPR provides that transfers of personal data from the EU to a country outside the EU are prohibited by default unless adequate safeguards for the data are implemented.
Organizations relied heavily on the Old SCCs, as the prior versions were used widely for cross-border data transfers and thought to be in compliance with GDPR. The New SCCs represent a substantial overhaul of the prior versions, implementing updated safeguards to align with those afforded by GDPR and also addressing concerns raised by the Court of Justice of the European Union in its Schrems II ruling last summer, which invalidated the EU-U.S. Privacy Shield and questioned the adequacy of other protective measures for transfers of personal data to third countries including the U.S.
What changes do the New SCCs bring?
The New SCCs aim to provide additional flexibility to organizations seeking to make data transfers compliant with the GDPR. The parties to a transfer may choose the module that is applicable to the relationship between the parties and use the clauses specific to that module. The New SCCs offer four modules that can be used for data transfers from:
- A controller to another controller
- A controller to a processor
- A processor to another processor
- A processor to a controller
These updates are significant, as the old SCCs didn’t account at all for processor-to-processor or processor-to-controller data transfers.
Timeline for the Transition
- Organizations can begin to enter into the New SCCs on June 27, 2021.
- Organizations may continue to enter into contracts using the old SCCs until September 27, 2021.
- Contracts incorporating the old SCCs have an 18-month transition period to enter into the New SCCs, with a final deadline of December 27, 2022.
After September 27, 2021 and through the transition period, the old SCCs are still valid but organizations may not enter into new contracts with the old SCCs.
Takeaways
Organizations should review their service provider and customer contracts to create a plan revising their contracts to enter into the New SCCs by December 27, 2022. Failing to do so will result in a GDPR violation which can be costly, time intensive and bad public relations for your organization.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.