The new SCCs: more questions than answers?

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (SCCs). It is nearly a year since the European Court handed down its judgment in the Schrems II case, so the publication of the new SCCs is welcome news for many organisations across Europe and beyond.

The new SCCs seek to address the complex requirements laid out by Schrems II, and lay to rest some of the speculation and uncertainty following the Schrems II judgment.

Key points to note

• The new SCCs have now been published in the Official Journal of the EU and will be in force with effect from 27 June 2021. From this date, organisations subject to the EU GDPR will have a period of 18 months to transition to the new SCCs.
• Unlike before, as well as covering the traditional controller-to-controller and controller-processor scenarios, the new SCCs now provide a set of processor-to-processor and processor-to-controller clauses. This resolves a key challenge previously faced by many organisations in finally plugging the obvious gaps in the coverage of the old SCCs.
• Many of the provisions in the new SCCs have been brought more in line with the EU GDPR requirements, including the obligations on processors which now include all elements required under Article 28 GDPR.

Next steps

With that said, many questions remain unanswered. For organisations carrying out data transfers subject to the UK GDPR, the ICO intends to issue draft new SCCs for consultation this summer. In the meantime, UK organisations must continue to rely on the previous EU SCCs when undertaking data transfers that are subject to the UK GDPR. However, for organisations transferring data from both the UK and the EEA to a third country, like the United States, they may well be asking: how will these two separate forms of SCCs work together?

Given that this question and so many others remain unanswered for UK-based businesses, some may well be questioning whether it is permissible to wait until the UK version is published in final form before repapering existing contracts. However, for those businesses that are subject to the EU GDPR, it is clear that the publication of the new SCCs marks the start of a lengthy project of contract repapering, international data flow mapping and contingency planning for businesses, rather than a conclusion to the uncertainty which has prevailed for the last 12 months.

Given the uncertainty around the SCCs and the now invalid EU-US Privacy Shield (and any replacement to it, whether at a UK and/or EU level), we are seeing increasing numbers of global clients look again at submitting a Binding Corporate Rules application to protect their internal transfers, in the hope and expectation that it provides greater protection against what has become a fairly volatile area of law. We do not expect to see an end to the ongoing challenges against organisations which transfer data overseas in reliance upon the SCCs, and against the regulators which are responsible for enforcing compliance with the EU GDPR.

Appreciating the major task which now faces organisations of all scales, organisations may likely turn to their AI solutions where possible to read contracts and identify those which need to be varied to introduce the new SCCs. This could save a considerable amount of time for organisations undertaking a repapering project, and should allow businesses to significantly reduce the cost of ensuring compliance now that the new SCCs have been launched.

This article was first published by pro manchester. Louisa Williams is speaking at pro manchester’s Trailblazing Tech event on Friday 2nd July. Click here for more information or to register.