In the world of data privacy and protection, the EU-US Privacy Shield was once considered the gold standard in ensuring the transfer of personal data between the European Union and the United States. However, with the invalidation of the Privacy Shield by the European Court of Justice in July 2020, companies have been left scrambling to find alternate means of transferring data while complying with the General Data Protection Regulation (GDPR).
One of the most commonly used mechanisms for data transfer has been the use of Standard Contractual Clauses (SCCs). SCCs are model contracts adopted by the European Commission that provide a legal framework for the transfer of personal data to countries outside the EU that do not have an adequate level of data protection.
On June 4th, 2021, the European Commission published new SCCs in the Official Journal of the European Union. These new SCCs replace the previous set of SCCs, which had been in use since 2010.
So, what’s new in the 2021 SCCs?
Firstly, the new SCCs take into account the GDPR, which came into force in 2018, and its increased transparency, accountability, and security requirements. The new SCCs incorporate provisions for data processors as well as data controllers, making them more comprehensive and adaptable to new data protection laws in various countries.
Secondly, the new SCCs offer greater flexibility. They now allow for multiple parties to be included in a single set of SCCs, making it easier for complex data transfers involving multiple processors and sub-processors. Additionally, the new SCCs offer modular clauses that can be added depending on the specific circumstances of the transfer, providing further flexibility and customization.
Thirdly, the new SCCs address the issue of government access to personal data. In light of recent events such as the Schrems II ruling, which invalidated the Privacy Shield due to concerns over American government access to personal data, the new SCCs include provisions for assessing whether the laws of the receiving country allow for adequate protection of personal data against government access.
Finally, the new SCCs also include a set of “docking” clauses, which enable new parties to be added to an existing transfer. This can be particularly useful in situations where the original parties to the transfer undergo mergers or acquisitions.
While the new SCCs do not come into force until three months after their publication in the Official Journal, companies should begin reviewing their data transfer agreements to ensure compliance with the new requirements. Given the increased emphasis on transparency, accountability, and security, it’s more important than ever to ensure that data transfers are being conducted in a lawful and responsible manner. By adopting the new SCCs, companies can demonstrate their commitment to protecting personal data and complying with evolving data protection laws.