The European Commission has today published its new Standard Contractual Clauses (“SCCs”) for international transfers of personal data (see here).
We have pulled out a few key questions and answers to address immediate issues:
- What do the new SCCs address? Rather than addressing just controller to controller, or controller to processor, transfers (which was the case under the old SCCs), the new SCCs are modular and, in addition to these transfers, they also address processor to processor, and processor to controller transfers. This new modular approach much better fits the reality of data transfers, particularly because they can be used by data exporters that are not established in the EEA but who are still subject to GDPR by virtue of their offering good or services to, or monitoring the behavior of, individuals in the EU.
- Do the new SCCs address issues raised by Schrems II? Yes. The new SCCs include provisions to address the concerns regarding international transfers raised in the Schrems II case. Of note, and at odds with guidance previously issued by the European Data Protection Board, the new SCCs appear to take a risk based approach to Schrems II compliance by permitting the parties to consider different elements as part of an overall assessment of risk. These elements include, for example, practical experience with prior instances of requests for disclosure from public authorities.
- Do I have to use the new SCCs for new transfers? New transfers can be undertaken under the old SCCs for the next 3 months. However, it will likely be more practical for new transfers to be undertaken pursuant to the new SCCs.
- What about existing transfers? Do I have to immediately switch to the new SCCs? There is a grace period of 18 months for existing transfers, after which organizations will be required to switch to the new SCCs.
- What should I be doing now? Review and update template DPAs to incorporate the new SCCs, and ensure that any new transfers are undertaken subject to them. With respect to existing transfers, identify existing transfers undertaken pursuant to the old SCCs and identify what type of transfer under the new SCCs is being undertaken (i.e controller to controller, processor to controller). Then, start to amend applicable contracts / DPAs to incorporate the appropriate version of the new SCCs in good time to meet the 18 month implementation deadline.