New European Union Standard Contractual Clauses (SCC) For International Data Transfers
These were published in June 2021 and incorporate developed and more up to date data protection provisions GDPR and take into account the Schrems II European Court of Justice decision that invalidated the EU-US privacy shield.
The old Standard Contractual Clauses (SCCs) will be replaced with these new SCCs for any new contracts from the 27th of September 2021 and in the old contracts by the 27th of December 2022. This means for the businesses affected, catching up with contractual work and changing the references to these clauses.
The European Commission published two sets of SCCs. The first set applies to cross border transfers to third countries and the second set applies between Controllers and Processors. The second set is welcome indeed as relationships between Controllers and Processors were more difficult to predict under the GDPR rules and contractual were using their own.
The new SCCs are organised in modules which is practical: they apply to transfers from:
Controller to Controller (C2C);
Controller to Processor (C2P);
Processor to Processor (P2P); and
Processor to Controller (P2C).
We are particularly pleased with guidance towards the P2P and P2C as this was vague before and had to be improvised, to say the least, from the C2P. A welcome improvement is also the recognition that multiple parties can now be part of SCCs clauses. It also recognises that data exported can in fact be a non-EU entity, which did not happen before.
In the UK, the GDPR has been kept as UK GDPR. The UK ICO (Information Commissioner’s Office) has welcomed the approval by the EU of the adequacy of UK GDPR. This means the continuous flow of data between the UK and EU, making things much easier for UK businesses that receive data from or have offices in the EU and EEA.
We will wait and see, but the above modules may well find their way within the standard contractual clauses used within the data exchanges within the UK as well. However, UK businesses that exchange data with the EU or have offices in the EU must be prepared for these changes and start revising their contractual arrangements regarding Data.