European Commission Adopts New Standard Contractual Clauses for Data TransfersBy: Faith D. Kasparian, Ann M. O'Rourke & Ryan J. Perry
June 8, 2021
On Friday, June 4, 2021, the European Commission released eagerly anticipated Standard Contractual Clauses (SCCs) for transfers to third countries (the “Data Transfer SCCs”). On the same day, the European Commission released another set of Standard Contractual Clauses addressing data sharing between controllers and processors in the absence of a third-country transfer.
The Data Transfer SCCs are “model data protection clauses” that businesses can utilize to help ensure that they are in compliance with certain obligations under the General Data Protection Regulation (GDPR).
Since the EU-U.S. Privacy Shield had been invalidated in the Schrems II decision, the previous set of European Commission model clauses have become an increasingly important way for companies to lawfully transfer data between the European Union and the United States. In addition, given that Vice President of the European Commission, Věra Jourová, recently stated that new legislation in the U.S. might be “necessary” before a new deal is reached to replace the Privacy Shield, it is likely that businesses will need to rely upon these new Data Transfer SCCs for the foreseeable future.
In particular, the Commission noted that these new Data Transfer SCCs:
- Bring data transfers in line with the GDPR;
- Create a “single entry-point” for multiple types of data transfers;
- Allow for flexibility via a “modular approach” and by letting more than two parties enter into these clauses; and
- Include provisions meant to address the Schrems II decision.
Notably, these new Data Transfer SCCs also contain certain contractual provisions required under Article 28 in the GDPR. Up to now, businesses usually included these contractual provisions in negotiated data processing agreements or addenda (DPAs).
For businesses that currently are using the previous set of European Commission model clauses, there is an 18-month transition period, after which, businesses must ensure that any applicable contracts and data protection agreements have been updated to incorporate the new Data Transfer SCCs.