On June 4, 2021, the European Commission formally adopted new standard contractual clauses for international personal data transfers from the European Economic Area (“EEA”) to other countries (the “New SCCs”). Standard Contractual Clauses (“SCCs”) allow personal data to be transferred outside the EEA to countries that the European Commission identifies as not providing “adequate” level of data protection (including China and the US).
Transition Period
The New SCCs will take effect twenty (20) days after publication in the Official Journal of the European Union (the “Effective Date”) and the old SCCs will be repealed three (3) months thereafter. During such three-month period, companies can still enter into the old SCCs, however, companies must convert to the New SCCs by the end of fifteen-month period following the repeal of old SCCs. So totally, companies will have eighteen (18) months from the Effective Date as the transition period.
Key Highlights of the New SCCs
This article only summarizes certain key highlights of the New SCCs. Companies subject to GDPR are encouraged to read the whole text of New SCCs (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en) carefully for better understanding.
Modular Approach: The New SCCs address four modular: (i) controller-to-controller, (ii) controller-to-processor, (iii) processor-to-processor, and (iv) processor-to-controller, which better serves nowadays complex data transferring and processing transactions. The old SCCs only apply to controller-to-controller and controller-to-processor.
No Separate Data Processing Agreement required: The New SCCs, unlike the old ones, incorporate requirements under Article 28 of GDPR, which requires certain contract terms and conditions between data controller and date processor on how data will be processed. Therefore, a separate data processing agreement between controller and processor is no longer required.
Transfer Impact Assessment: Parties to the New SCCs are required to warrant that they have carried out an assessment of the laws in the countries to which the personal data will be transferred and have no reason to believe that the laws in such countries will prevent the data importer from fulling its obligations under the New SCCs. In addition, the parties must document the assessment and make it available to supervisory authority on request.
Data Subject as Third-Party Beneficiary: Under the New SCCs, a data subject can enforce certain provisions directly against both the data exporter and the data importer, while under the old SCCs, data subject may enforce provisions only against the data importer only if the data exporter had factually disappeared or ceased to exist in law.
Multiparty SCCs: The new SCCs allow a data controller or a data processor who is not an original party to accede to the new SCCs as long as all the parties agree, via a "docking clause," essentially, having such additional party sign on the relevant Annex.