CNIL of France recently issued a reminder that the previous Standard Contractual Clauses can no longer be used for the transfer of data outside of the EU.
CNIL of France has recently issued a reminder that the old Standard Contractual Clauses (SCCs) can no longer be used, as of 27th December. Data exporters and importers will have to rely on either the clauses updated in 2021 or another transfer tool. The model Standard Contractual Clauses were updated by the European Commission on June 4, 2021 to replace those from 2001 and 2004. Following the June 2021 update, there was a 15 month period, during which data exporters and importers could still use the old Standard Contractual Clauses for transfers outside the EU. However this period has officially ended as of December 27th, 2022, as this notice from CNIL points out.
For contracts concluded prior to 27 September, 2021, for which the subject matter remained unchanged, the earlier SCCs could have still been used.
Until 27 December 2022, controllers and processors could have continued to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, as long as the processing operations which are the subject matter of the contract were the same. However, from 27 September 2021, it was no longer possible to conclude any contracts which included these earlier sets of SCCs, adopted under the previous Data Protection Directive 95/46. It was only possible to continue using those contracts which included the previous SCCs on contracts concluded prior to last September.
While a new Trans-Atlantic data agreement is expected soon, organisations have a few options in the interim, to continue making international data transfers.
Since the 2020 Schrems II judgement, the European Court of Justice (ECJ) concluded that SCCs can always be used as a transfer tool to transfer data to a third country. However, the ECJ has also emphasised that it is up to the exporter and the importer of data to assess whether the legislation of the third country makes it possible to respect the level of protection required by EU law and the safeguards provided by SCCs in practice. At times, SCCs may not be enough to ensure the safety of data transferred to third countries. Last year, an executive order was signed by the U.S President for the establishment of a new Trans-Atlantic Data Privacy Framework into law. The European Commission has also confirmed that a draft decision on U.S. adequacy will soon pave the way for a replacement EU-U.S. data transfer deal. In the interim, and where the transfers concern not only the US but also other third countries, organisations have a few options for the continuation of international data transfers, including the latest amendment of the Standard Contractual Clauses.
It is important to note that for international data transfers where the UK GDPR applies, organisations need to use the UK International Data Transfer Agreement or the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers.