Insights

New EU SCCs for international data transfers now adopted

New EU SCCs for international data transfers now adopted

4 June 2021 (updated on 9 June 2021)
Download PDFDownload PDF
Print
Share

The European Commission adopted revised standard contractual clauses for international transfers (the “new SCCs”) on Friday, 4 June 2021. The new SCCs incorporate a number of additional provisions intended to strengthen the degree of protection for personal data transferred to “third countries”, such as the United States, which have not been recognised by the European Commission as providing “adequate” protection.

The adoption of the revised SCCs follows the Court of Justice of the European Union’s (“CJEU”) ruling in the Schrems II judgment (Case C-311/18) which invalidated the EU–US Privacy Shield mechanism and determined that transfers based on the SCCs could continue provided that a level of protection over the transferred personal data that was “essentially equivalent” to that provided by the General Data Protection Regulation (2016/679) (“GDPR”) could be guaranteed (additional recommendations for complying with Schrems II available here).

The Commission notes the new SCCs offer the following main innovations:

  • One single entry-point covering a broad range of transfer scenarios (i.e. a composite approach), instead of separate sets of clauses;
  • More flexibility for complex processing chains, through a ‘modular approach' and by offering the possibility for more than two parties to join and use the clauses;
  • Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary; and
  • For controllers and processors currently using previous sets of standard contractual clauses, a transition period of 18 months is provided to replace them with the new SCCs (noting that changes to ongoing processing operations during that 18 month period may trigger a need to enter into the new SCCs sooner).  The previous sets of SCCs can only be used for new contracts until 27 September 2021; from that point, the new SCCs must be utilised for all new contracts.

The new SCCs were published the Official Journal of the European Union on 7 June and enter into force after 20 days, i.e. on 27 June 2021. At the same time - and with less fanfare - a set of model data processing clauses (i.e. controller/processor clauses without an international transfer) were also published. 

We will follow up this update with our analysis of the new SCCs and the impact for businesses looking to rely upon them. If you have any questions, please contact a member of BCLP’s Data Privacy & Security Team.

Related Practice Areas

  • Data Privacy & Security

  • General Data Protection Regulation

Meet The Team

Amy de La Lama

Amy de La Lama

Co-Author, Boulder

+1 303 417 8535

Meet The Team

Christian M. Auty
+1 312 602 5144
Dominik Weiss

Dominik Weiss

Co-Author, Hamburg

+49 (0) 40 30 33 16 148
Amy de La Lama

Amy de La Lama

Co-Author, Boulder

+1 303 417 8535
Christian M. Auty
+1 312 602 5144
Dominik Weiss

Dominik Weiss

Co-Author, Hamburg

+49 (0) 40 30 33 16 148

Meet The Team

Amy de La Lama

Amy de La Lama

Co-Author, Boulder

+1 303 417 8535
Christian M. Auty
+1 312 602 5144
Dominik Weiss

Dominik Weiss

Co-Author, Hamburg

+49 (0) 40 30 33 16 148
This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.