EU’s New Standard Contractual Clauses Go into Effect This Week

A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.

SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions of the SCCs, in part to address the shortcomings the Court identified.

The updated SCCs include a couple key innovations meant to address the Court’s concern that SCCs should not be “sign and forget” documents. First, the new versions of the SCCs adopt a flexible, modular approach that allows multiple parties to join and use the clauses with additional customization options to enable the SCCs to cover complex processing chains. In addition, the Commission will also release a practical toolbox meant to supplement the contractual provisions of the SCCs with operational guidance for organizations to safeguard personal information in an international transfer. For example, the toolbox will explore topics such as “supplementary measures” for data security, such as encryption.

The new SCCs become effective on June 14, 2021; however, any controllers and processors that are currently using previous versions of SCCs have a grace period of 18 months to transition to the newly approved SCCs.

If your organization currently relies on SCCs for its cross-border safeguard mechanism under the GDPR, you should begin the process of reviewing the updated SCCs and rolling out appropriate amendments to adopt the new versions of the SCCs for any agreements that will be in effect beyond the 18-month grace period. If your organization does not currently rely on SCCs for its cross-border safeguard mechanism, it may be worth exploring further whether SCCs may be an additional tool for your organization to rely on.