EU: Commission's finalised SCCs - Key Resources
Following much anticipation, the European Commission announced, on 4 June 2021, that it had adopted two sets of Standard Contractual Clauses ('SCCs'), one for use between controllers and processors ('the Controller-Processor SCCs') and one for the transfer of personal data to third countries ('the Third Country Transfer SCCs'). This page presents all the key resources and documents organisations can rely on to address the new set of SCCs.
The Commission noted that the new set SCCs reflect the requirements under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and take into account the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), with a view to ensuring a high level of data protection for citizens. The Commission further highlighted that the new SCCs take into consideration the joint opinion of the European Data Protection Board ('EDPB') and the European Data Protection Supervisor ('EDPS'), feedback from stakeholders, and the opinion of Member States' representatives.
OneTrust DataGuidance lists below the latest documents and key resources on the revised SCCs.
Schrems II Fallout Continued: Finalised SCCs Released Webinar
OneTrust DataGuidance, Sidley, and an expert panel will provide practical analysis on the new SCCs and the key questions for organizations in understanding the future of international data flows. In this webinar, we will be joined by a cross-industry panel including William Long, Partner at Sidley, Caroline Louveaux, CPO - MasterCard, Tina Maisonneuve, CPO - Nokia, Chris Foreman, CPO -Merck Sharp & Dohme, Monika Tomczak-Gorlikowska, CPO - Prosus, and Lara Liss, CPO - Walgreens Boots Alliance.
Key takeaways will include:
- In-depth reaction and analysis of the new SCCs
- What are key changes with the new SCCs and the initial draft
- When do companies need to implement them
- How to plan for international data transfers over the next few months
Join OneTrust DataGuidance and a cross-industry panel for this webinar here.
Interview with William RM Long, Partner at Sidley Austin LLP
1. What are your initial thoughts on the new SCCs that were published by the Commission on Friday?
My initial thoughts are that the new SCCs will involve a lot of work for companies over the next few months (and years). This is because the SCCs are quite complex. Unlike the old SCCs, which had two transfer scenarios, the new SCCs have four transfer scenarios or modules including for the first time transfers from processors in the EU. While this provides greater flexibility it does mean careful thought will be required as to which modules are relevant to the business. In addition, the provisions in the SCCs can differ depending on the module and they are certainly onerous, for example, having to set out security measures in detail for each transfer.
2. Do companies have some time to put these new SCCs in place?
Yes, there are transitional provisions in the new SCCs, so basically companies can continue to use the old SCCs for a further 3 months and then will need to use the new SCCs when entering into new contracts and for existing SCCs will have 18 months to move those existing ones onto the new SCCs. So while there is some time, companies will need that time because, as mentioned, the new SCCs are complex, require careful consideration and a project plan as to how they will be rolled out.
3. Do the new SCCs confirm companies have to undertake a Schrems II style data transfer assessment?
Yes, the new SCCs require a Schrems II data transfer assessment to be carried out as the parties have to warrant they have no reason to believe the laws and practices in the third country prevents the importer fulfilling its obligations under the new SCCs. Importantly, the new SCCs have been amended so parties can take into account subjective factors when carrying out this assessment including the circumstances of the transfer, the laws and practices of the third country and relevant contractual, technical or organisational safeguards. It should also be noted that the new SCCs require this assessment is documented and made available to authorities on request, so it needs to be carefully done.
4. What do the new SCCs say about challenging requests by public authorities in third countries for access to data?
This has been a key concern of many companies as the draft SCCs published last November required the importer to exhaust all available remedies to challenge a request. The new SCCs have been amended on this point to provide a little bit more flexibility as now the importer must agree to challenge the request if it concludes there are reasonable grounds to consider the request unlawful. However, the new SCCs still require the importer to pursue possibilities of appeal. So again companies are going to have to carefully consider how to deal with this and many other requirements in the new SCCs.
What You Need To Know
Key Resources from OneTrust DataGuidance
- DataGuidance Regulatory Update
- Schrems II Portal
- Data Transfers Comparison
- Webinar - Schrems II fallout - Finalised SCCs released
- Insight - EU: Commission adopts new SCCs - Reactions and analysis