New SCCs adopted by the European Commission last week introduce more legal and privacy safeguards for data transfers.
Since the CJEU‘s Schrems II decision last July, affecting transfers outside the EU via Standard Contractual Clauses, SCC’s have been the topic of much discussion regarding data transfers. These SCCs have been used by numerous companies for the transfer of data for several purposes including, but not limited to cloud storage, hosting, finance and marketing. The announcement was made last Wednesday, that the European Commission would be adopting new Standard Contractual Clauses come Friday, June 4th. Justice Commissioner Didier Reynders said that these new SCCs “incorporated some elements of transparency, accountability in full compliance with the GDPR”, adding that the goal was to avoid a “Schrems III”.
The European Commission has adopted two sets of Standard Contractual Clauses reflecting the new requirements under the GDPR.
The new SCCs adopted by the European Commission for the transfer of personal data to third countries take into account the details of the Schrems II judgment by the CJEU, and offer more legal predictability to European businesses. The new SCCs are expected to help small to medium enterprises in particular, to ensure compliance with safe data transfer requirements. They will provide companies with a template which is easy to implement, allowing data to move freely across borders, without legal barriers.
The European Commission has also adopted another set of SCCs for use between controllers and processors within the EU.
The new SCCs are more practical and flexible and cover a broad range of transfer scenarios.
The new Standard Contractual Clauses include an overview of the different steps that companies will have to implement in order to comply with the Schrems II judgment, complete with examples of possible supplementary measures which may be necessary to ensure compliance. These supplementary measures are intended to strengthen protection of data transferred to third countries which are not regarded as having adequate protection. These additional safeguards include encryption and pseudonymized personal data, which would prevent the personal data from being attributed to a specific individual, without the use of additional details. The new SCCs adopted by the European Commission cover a broad range of various transfer scenarios, all in one practical toolbox.
A transition period of 18 months is provided for processors and controllers that are currently using old SCCs.
Many companies, since the CJEU’s judgment last summer, have been using Standard Contractual Clauses to facilitate their third country personal data transfers. When the EU-US Privacy Shield was invalidated last July, the court confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU. However, this did not come without complications, as in various cases it was found that for data transfers to the US and other third countries, the SCCs did not provide sufficient protection for personal data. These, now old SCCs are currently in use by the majority of companies who transfer data to third countries. The European Commission has now verified that these SCCs can continue to be used for the next 18 months, as companies transition to using the new SCCs adopted last Friday.