European Union: European Commission Adopts Updated Standard Contractual Clauses And Mandates New Compliance Deadlines

Executive Summary: The European Commission ("the Commission") finalized its implementing decision adopting two sets of newly updated Standard Contractual Clauses ("Updated SCCs"). One set concerns data transfer between intra-EU controllers and processors and the second set concerns data transfers between the EU and third countries. Following the invalidation of the EU-US Privacy Shield, the Updated SCCs provide much needed predictability.

Immediate Impacts: Three months following this decision, both the previous SCC decision (Decision 2001/497/EC) and the decision concerning intra-EEA data transfers between controllers and processors (Decision 2010/87/EU) will be repealed. As a result, organizations relying on SCCs should plan to use the Updated SCCs as soon as possible.

On the Horizon: The Commission has provided an 18-month transition period for organizations relying on exiting SCCs to transition to the Updated SCCs. As a result, organizations will need to not only replace their existing SCCs but also update internal privacy and security programs as required by the Updated SCCs. For several organizations, this could be a substantial undertaking and will take significant time and effort to complete.

1. Background

On June 4, 2021, the Commission issued its implementing decision finalizing updates to the Updated SCCs, providing for two sets of SCCs concerning (1) data transfers between intra-EU controllers and processors and (2) data transfers from the EU to a third country (i.e., countries that have no 'adequacy decision'). This follows a draft decision issued in November 2020 and incorporates feedback from the public and other European agencies.

2. Contours of the Updated SCCs

The Commission's implementing decision addresses issues stemming from the Schrems II decision, which invalidated the EU-US Privacy Shield, and, as such, provides clarity and predictability to organizations that transfer personal data among EU members and third countries. More information on the Schrems II decision and its impacts is available here.

Noteworthy is that the Updated SCCs now account for differing and sometimes more complex relationships. The Updated SCCs apply to transfers between two processors, as well as transfers between processors and controllers, regardless of location. See Decision at para. 9. In addition, the Updated SCCs combine general clauses with a modular approach to provide more flexibility to contracting parties. Specifically, they allow for the traditional controller-to-controller and controller-to-processor transfers, but they also allow for processor-to-processor transfers and processor-to-controller transfers. This provides greater flexibility in adapting the new SCCs for various data transfer scenarios.

Moreover, the Commission approved an optional "Docking Clause," whereby new parties may accede to the Updated SCCs at any time by way of executing a specific Annex. Also included are provisions to address requests from public authorities, which apply to all modules and require data importers to warrant that they have no reason to believe that the laws of the destination country "do not exceed what is necessary and proportionate" under the GDPR and would, as a result, prevent importers from fulfilling obligations under the SCC. See Updated SCCs at cl. 14. the decision provides that SCCs should have specific safeguards, including "how to deal with binding requests from public authorities in the third country for disclosure of the personal data transferred." See Decision at para. 18.

3. Impacts to Organizations Relying on SCCs

The decision repeals the current SCCs and replaces them with the Updated SCCs contained in the decision's appendix. This decision also provides intra-EU controllers and processors with more flexibility over the regulation of their data transfers and allows for an 18-month transition period from the current SCCs to the updated SCCs. See Decision at para. 24. Following the three-month grace period and wherever personal data is being transferred, companies will need to ensure that all contracts and agreements contain the Updated SCCs.

4. Built-in GDPR Article 28 Requirements

The Updated SCC modules that involve processors also cover the requirements of GDPR Article 28, which specifies a list of requirements that must be addressed in a written contract whenever a controller engages a processor.

5. Implementation Steps

Following this three-month grace period, the Updated SCCs must be used for any newly executed contract or changes to a contract incorporating additional or new data transfers.  During the 18-month transition, organizations will need to amend or replace all existing vendor agreements to comply with the Updated SCCs in addition to replacing all intra-affiliate agreements to the extent personal data is transferred between them. Finally, organizations should develop a plan for implementing additional privacy and security protocols and controls consistent with the requirements of the Updated SCCs, such as how law enforcement access requests will be granted and how transfer impact assessments will be conducted.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.