It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission ("Commission"). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union's (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR's data protection requirements for multiple variations of data exporter-importer relationships.
Following the end of the grace period, companies executing new data processing agreements (DPAs) must use the 2021 SCCs. However, DPAs that were executed before September 27, 2021, may continue to use the old clauses until December 27, 2022 when all executed SCCs must be updated to reflect the 2021 changes. A summarized timeline of these relevant dates and grace periods is listed below.
Effective Date and Transition Period.
- June 27, 2021: Effective date of 2021 SCCs.
- September 27, 2021: Last day parties may negotiate and enter into prior iterations of SCCs. However, prior SCC iterations in existing DPAs can continue to be used for transfers and remain effective for existing data transfers for up to 15 months.
- December 27, 2022: All prior iterations of SCCs in any existing DPAs must be replaced with the 2021 SCCs.
How SCCs Relate to Data Transfer.
Generally, the GDPR restricts the transfer of personal data outside the European Economic Area (EEA) unless an exemption applies or the importing country is deemed by the Commission to have an "adequate" level of data protection. When an importer of personal data is in a country deemed inadequate by the Commission, such as the United States, importers and exporters must execute additional safeguards to permit the transfer of personal data. SCCs exist as model clauses approved by the Commission for such transfers.
SCCs are incorporated into DPAs between a data controller and data processer to specify processing obligations for personal data, as required under Article 28 of the GDPR. However, the older clauses were published in 2010, nearly a decade before the GDPR's enactment in 2018. Since the GDPR's enactment, parties to global data transfers have identified several exporting arrangements of personal data amongst several parties that were not contemplated by the 2010 SCCs. With both the GDPR and Schrems II decision redefining the standard for proper data protection practices and procedures, the 2021 SCCs complement the robust changes to privacy law that have occurred during the last few years.
Bracing for Impact: How Companies Should Approach New SCCs.
Prior to December 27, 2022, all organizations processing personal data subject to SCCs will need to adopt the 2021 version. This gives companies a little over a year to get up to speed on the new requirements. Within the next few months companies exporting and importing personal data from the EEA should consider:
- making a list to identify all outstanding DPAs with other entities;
- using that list to identify all agreements which include the old SCCs (presumably all agreements containing SCCs will feature the old standards);
- contacting your privacy officer or outside counsel to learn more about the applicability of the 2021 SCCs to existing and pending data transfer agreements; and
- working with outside counsel to prepare a remediation project to assess current data transfer arrangements and replace existing SCCs with the 2021 standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.