New EU SCCs for international data transfers now adopted

The European Commission adopted revised standard contractual clauses for international transfers (the “new SCCs”) on Friday, 4 June 2021. The new SCCs incorporate a number of additional provisions intended to strengthen the degree of protection for personal data transferred to “third countries”, such as the United States, which have not been recognised by the European Commission as providing “adequate” protection.

The adoption of the revised SCCs follows the Court of Justice of the European Union’s (“CJEU”) ruling in the Schrems II judgment (Case C-311/18) which invalidated the EU–US Privacy Shield mechanism and determined that transfers based on the SCCs could continue provided that a level of protection over the transferred personal data that was “essentially equivalent” to that provided by the General Data Protection Regulation (2016/679) (“GDPR”) could be guaranteed (additional recommendations for complying with Schrems II available here).

The Commission notes the new SCCs offer the following main innovations:

• One single entry-point covering a broad range of transfer scenarios (i.e. a composite approach), instead of separate sets of clauses;
• More flexibility for complex processing chains, through a ‘modular approach' and by offering the possibility for more than two parties to join and use the clauses;
• Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary; and
• For controllers and processors currently using previous sets of standard contractual clauses, a transition period of 18 months is provided to replace them with the new SCCs (noting that changes to ongoing processing operations during that 18 month period may trigger a need to enter into the new SCCs sooner).  The previous sets of SCCs can only be used for new contracts until 27 September 2021; from that point, the new SCCs must be utilised for all new contracts.

The new SCCs were published the Official Journal of the European Union on 7 June and enter into force after 20 days, i.e. on 27 June 2021. At the same time - and with less fanfare - a set of model data processing clauses (i.e. controller/processor clauses without an international transfer) were also published. 

We will follow up this update with our analysis of the new SCCs and the impact for businesses looking to rely upon them. If you have any questions, please contact a member of BCLP’s Data Privacy & Security Team.