It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European data protection law since the coming into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, which was three years ago this month. These new SCCs will replace prior versions of the SCCs, some of which date back to 2001 and pre-date the GDPR. We are closely monitoring developments in this area and will report on the new SCCs as soon as these are published. We expect the impact of these SCCs to be significant on organizations which are directly subject to the GDPR or which receive personal data from organizations that are subject to the GDPR.
As is well-known, SCCs are template data transfer agreements that allow data exporters in the European Economic Area (“EEA”) to transfer personal data to countries outside the EEA that the Commission treats as providing an “inadequate” level of data protection in accordance with the EU General Data Protection Regulation. (Countries in this category include Australia, Brazil, China, India and the United States.) The new SCCs comprise four different forms Controller-to-Controller, Controller-to-Processor, Processor-to-Controller, and Processor-to-Processor relative to only two forms in the current versions, namely Controller-to-Controller, Controller-to-Processor. Relative to the current SCCs, the new SCCs also impose substantially enhanced obligations on both data exporters and data importers to reflect both the coming into force of the GDPR in 2018 and the decision of the Court of Justice of the European Union in the Schrems II case in 2020.
Based on press reports, the final versions of the new SCCs may, at least in part, be substantially different from the draft versions published in December. For example, a longer period may potentially be offered to organizations to transition to the new SCCs from the existing SCCs. Many organizations also hope that the final versions of the new SCCs will help resolve certain tensions between the draft version from December and the European Data Protection Board’s guidance on Schrems II compliance (notably, whether organizations are allowed to adopt a risk-based approach to assessing data protection risks in the country of data import.)