EU’s Revamped SCCs

In June 2021, the European Commission adopted revamped Standard Contractual Clauses (SCC) to enable European companies to transfer data securely around the world. These revamped SCCs provide added protections to cross border data transfers to non-adequate countries outside of the EU.

Background:

As per the GDPR, personal data transfers to another country outside the European Union can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. The safeguards include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and ad-hoc contractual clauses.

On 16 July 2020, in what became known as the Schrems II case, the Court of Justice of the European Union (ECJ) invalidated the European Commission’s EU-US Privacy Shield arrangement but upheld the use of SCCs to transfer data securely outside the EU. For SCCs to be valid however, data exporters were required to review the legal regime of the country data was transferred to and assess if the SCCs would be an effective protection for the transferred data. If the SCCs were not adequate protection, data exporters had to assess the risks to the transferred data and undertake supplementary measures to protect it further.

Heavily influenced by and as a response to the comments of the ECJ in Schrems II, the European Commission adopted two new sets of SCCs, one for the transfer of personal data to third countries and one for use between controllers and processors to replace the ones adopted in 2004 and then in 2010.

Let’s look into some of the key points of these new SCCs:

SCCs for transfer of personal data to third countries:

The new SCCs retain the same modular approach used in the previous draft, comprising four distinct modules, to enable businesses to identify the correct module in light of their circumstances:

1. Transfer controller to controller (referred to as C2C hereon)
2. Transfer controller to processor (referred to as C2P hereon)
3. Transfer processor to processor (referred to as P2P hereon)
4. Transfer processor to controller (referred to as P2C hereon)

Applicability:

• The revamped SCCs are applicable starting June 27th, 2021.
• Both the old and revamped SCC can be signed up to September 27th, 2021 (3 months after the start date). After this date, only the revamped SCC can be signed.
• Current SCCs must be replaced with the revamped SCC by December 27th, 2022.

Key Takeaways:

Some of the key takeaways of the revamped SCCs are as follows:

• There is a lot of focus on accountability, compliance and audit obligations. They especially require processors who process transferred data in a non-adequate country to provide documentation to show that they have processed data for the designated purpose in compliance with the SCCs. Updated Records of Processing Activities (RoPA) reports will help organizations fulfill these obligations and demonstrate compliance.
• Data minimization, accuracy, purpose limitation and storage limitation obligations apply to all parties in all transfers. A comprehensive data mapping exercise will help organizations in fulfillment of these principles.
• Parties are required to undertake appropriate security measures with a special focus on encryption and pseudonymization for the protection of processing of personal data.
• Importer data controllers are required to respond to even more varieties of data subjects’ requests.
• Transfer impact assessments have been made mandatory. All parties in all transfers are required to consider the laws and practices of the third country of destination, including any requirements to disclose the personal data or measures authorizing access by public authorities, to determine if they can fulfill the requirements of the SCCs.
• Breach notification obligations vary depending on whether the data transfer agreement is C2C, C2P or P2P. For importer data controllers, they may be required to notify data breaches to the data exporter, the competent supervisory authority along with the affected data subjects. For importer processors, they may only need to notify the exporter.
• The new SCCs are on-par with the GDPR in terms of data protection requirements.
• With the docking clause, the SCCs allow multiple data exporting parties to contract and the addition of new parties over time.

Overall, the new SCCs align with the requirements of the GDPR and Schrems-II. Businesses must now implement revamped SCCs as well as conduct transfer impact assessments to fully comply with Schrems-II requirements and ensure secure transatlantic data transfers. Read Post Schrems-II: 5 Essentials To Dos for Transatlantic Data Flows to learn what compliance actions you’re required to take immediately if you are still using the old SCCs.

Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the European Union and remediate discovered vendor risks as per the applicable legal requirements. Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations imposed by the revamped SCCs.

Click here to find out obligations of parties for each data transfer module.