What You Need To Know About New Standard Contractual Clauses (SCCs) Published by the EDPB
On 4 June 2021, in a move that will impact many of the world's organizations, the European Commission released its long-awaited final Implementing Decision on Standard Contractual Clauses (New SCCs). The new SCCs replace the old SCCs and are intended to guide organizations on the transfer of personal data to third countries outside the European Economic Area (EEA) that don't meet GDPR requirements. When the third country doesn't meet an adequate level of protection (afforded by GDPR), the most common safeguards are SCCs.
Why the Need for new SCCs
The old SCCs date back to 2001, with amendments in 2004 and 2010. While these SCCs did an adequate job in addressing data subject rights in the past, it became clear that they were falling short in some areas.
One of the primary motivating factors for designing new SCCs was the Schrems II ruling. On 16 July 2020, the Court of Justice of the European Union ruled that the EU-US Data Protection Shield, which many organizations relied on to transfer data between the countries, was invalidated. Following this verdict, the European Data Protection Board (EDPB) and other parties started drafting changes to the SCCs.
What You Need to Know About the New SCCs
The new SCCs take a modular and more flexible approach to data transfer, addressing the gaps in the old SCCs. The new SCCs outline controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor transfers. The latter two were not included in the old SCCs. This change more accurately reflects how personal data flows in the digital age and enables organizations to select the clauses that best meet their needs.
As of 27 September 2021, the new SCCs must be used for all new contracts entered into.
The geographic scope of the new SCCs is different from the old SCCs. Previously, the data exporter had to be an entity "established" in the EEA. Under the new SCCs, they only have to be an entity subject to GDPR (for example, they offer goods or services to data subjects in the EEA).
The new SCCs address known deficiencies in the old clauses, including allowing for transfers involving multiple parties. The new optional "docking clause" permits the adding of new parties to the SCCs.
The new SCCs provide the necessary data processing agreements outlined in the European Commission's Article 28. Since the old SCCs emerged from GDPR's predecessor, they didn't encompass these agreements, and organizations would have to add additional requirements to be compliant.
Which Organizations Are Impacted by the New SCCs
The new SCCs will now be the primary mechanism for transferring personal data outside of the EEA. As a result, organizations that conduct cross-border transfers outside of the EEA will need to familiarize themselves with the new guidelines and move away from the old SCCs.
However, not all cross-border transfers require the execution of the new clauses. For example, an organization could choose not to execute the new SCCs if the data importer is located in an "adequate" jurisdiction such as Canada. Other exceptions include if the data is exported from the UK or Switzerland or if another GDPR-compliant transfer mechanism is already in place.
Additionally, organizations that have implemented the old SCCs can still use them as transfer safeguards for the transition period, which ends on 27 December 2022.