Today the European Commission published its much anticipated decision on the new standard contractual clauses ("SCCs") for the transfer of personal data from the European Union to third countries, and the template SCCs. The new SCCs are modular in nature, and cover all relevant data transfer scenarios, including processor to processor, and processor to controller transfers (which were not currently covered by the previous SCCs).
The new SCCs address the CJEU's landmark decision in Schrems II by incorporating a number of terms designed to ensure an appropriate level of protection for personal data that is transferred to third countries from the EEA. The new SCCs contain significant measures relating to requests to access personal data from public authorities in third countries. These measures include a requirement that the data importer must (i) review the legality of any request it receives from a public authority; and; (ii) challenge the request (to the extent that it considers that it is unlawful).
The European Commission has confirmed that there will be an 18 month transition period, during which time companies can continue to transfer personal data to third countries using the existing SCCs (unless those contracts are changed, in which case the new SCCs must be used).
Originally published 04/06/2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.