The European Commission published its implementing decision for the new Standard Contractual Clauses (“SCCs”) in June of 2021. On September 27, 2021, the old SCCs that had been adopted prior to the General Data Protection Regulation (“GDPR”) going into effect were officially repealed and all new data transfers relying on the SCCs as its cross-border transfer safeguard mechanism under the GDPR will need to adopt the “new” SCCs. (For more on SCCs generally, see our post here.)
Unlike the old SCCs, the new SCCs require the parties to engage in some thought about the nature of their cross-border data transfer relationship and customize the SCCs to fit such. Specifically, the new SCCs outline four categories of relationships that may be covered by the new SCCs under different “modules” within the SCCs:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
Once the parties understand the nature of their relationship, the new SCCs can be pulled together following the modular format put forth by the European Commission, with about half the new SCC provisions containing unmodifiable language applicable to all relationships and half of the new SCC provisions requiring the parties to select the language application to the appropriate relationship:
While the new SCCs require more user engagement to select the appropriate clauses as compared to the old SCCs that came in only two flavors, the new SCCs incorporate two crucial advantages over the old SCCs.
First, all topics required to be addressed under the required data processing agreement between controllers and processors under Article 28(3) of the GDPR are covered by the new SCCs. Accordingly, the new SCCs no longer need to be attached to a separate data processing agreement creating lengthy and sometimes redundant verbiage. Instead, the new SCCs may stand on their own as a data processing agreement. Accordingly, the new SCCs are likely to become the new standard for data processing agreements.
Second, and perhaps more importantly, the old SCCs were only effective if the party exporting the personal information was established in the EU. Technically, the old SCCs were not effective between two non-EU parties. The new SCCs remove this restriction and expressly recognize that the data exporter can be a non-EU party.
Companies that both import and export personal information from Europe should familiarize themselves with the new SCCs as new agreements relying on SCCs are required to adopt the new version. Existing agreements that adopted the old SCCs, and went into effect prior to September 27, 2021, have a grace period until December 27, 2022 to update to the new SCCs. However, given the advantages the new SCCs provide over the old SCCs, it may be worthwhile to prioritize converting to the new SCCs sooner than later.