Schrems II Fallout Continued: Finalised SCCs Released
For the first time in a decade, the European Commission has just issued new and finalised international data transfer agreements, known as Standard Contractual Clauses ('SCCs'), which international companies will now need to put in place. SCCs represent the most common transfer mechanisms that international companies rely on. With organisations seeking to comply with the CJEU's decision in Schrems II, coupled with an overhaul of existing contracts resulting from new SCCs, this development will be of key importance for companies.
Watch as OneTrust DataGuidance, Sidley, and an expert panel provide a practical analysis on the new SCCs and answer the key questions for organizations in understanding the future of international data flows. In this webinar, we are be joined by a cross-industry panel including William Long, Partner at Sidley, Caroline Louveaux, CPO - MasterCard, Tina Maisonneuve, CPO - Nokia, Chris Foreman, CPO -Merck Sharp & Dohme, Monika Tomczak-Gorlikowska, CPO - Prosus, and Lara Liss, CPO - Walgreens Boots Alliance.
Key Takeaways will include:
- In-depth reaction and analysis of the new SCCs
- What are key changes with the new SCCs and the initial draft
- When do companies need to implement them
- How to plan for international data transfers over the next few months
To access this webinar's presentation, click here.
To access a Sidley Austin LLP Resource, "Ten Key Issues on the New Standard Contractual Clauses or SCCs", click here.
Interview with William RM Long, Partner at Sidley Austin LLP
1. What are your initial thoughts on the new SCCs that were published by the Commission on Friday?
My initial thoughts are that the new SCCs will involve a lot of work for companies over the next few months (and years). This is because the SCCs are quite complex. Unlike the old SCCs, which had two transfer scenarios, the new SCCs have four transfer scenarios or modules including for the first time transfers from processors in the EU. While this provides greater flexibility it does mean careful thought will be required as to which modules are relevant to the business. In addition, the provisions in the SCCs can differ depending on the module and they are certainly onerous, for example, having to set out security measures in detail for each transfer.
2. Do companies have some time to put these new SCCs in place?
Yes, there are transitional provisions in the new SCCs, so basically companies can continue to use the old SCCs for a further 3 months and then will need to use the new SCCs when entering into new contracts and for existing SCCs will have 18 months to move those existing ones onto the new SCCs. So while there is some time, companies will need that time because, as mentioned, the new SCCs are complex, require careful consideration and a project plan as to how they will be rolled out.
3. Do the new SCCs confirm companies have to undertake a Schrems II style data transfer assessment?
Yes, the new SCCs require a Schrems II data transfer assessment to be carried out as the parties have to warrant they have no reason to believe the laws and practices in the third country prevents the importer fulfilling its obligations under the new SCCs. Importantly, the new SCCs have been amended so parties can take into account subjective factors when carrying out this assessment including the circumstances of the transfer, the laws and practices of the third country and relevant contractual, technical or organisational safeguards. It should also be noted that the new SCCs require this assessment is documented and made available to authorities on request, so it needs to be carefully done.
4. What do the new SCCs say about challenging requests by public authorities in third countries for access to data?
This has been a key concern of many companies as the draft SCCs published last November required the importer to exhaust all available remedies to challenge a request. The new SCCs have been amended on this point to provide a little bit more flexibility as now the importer must agree to challenge the request if it concludes there are reasonable grounds to consider the request unlawful. However, the new SCCs still require the importer to pursue possibilities of appeal. So again companies are going to have to carefully consider how to deal with this and many other requirements in the new SCCs.
Further Schrems II Judgment Resources
- OneTrust DataGuidance News: EU: EDPS Launches Two Investigations Following Schrems II Judgment
- OneTrust DataGuidance Portals and Comparisons: Schrems II Portal
- OneTrust DataGuidance Video: EDPB Schrems II Guidance: What You Need To Know
- OneTrust DataGuidance Blog: The Definitive Guide to Understanding Schrems II