Important Updates For Businesses That Transfer Data From Europe: European Commission Adopts New Standard Contractual Clauses
On Friday, June 4, 2021, the European Commission adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to “third countries” (i.e., countries outside the EEA). We highlight three key points for the cross-border clauses.
1. What are the timelines for using the new clauses?
Existing transfers: Parties can continue to rely on the old clauses for up to 18 months (until December 24, 2022) as long as the processing operations remain unchanged and the use of the clauses ensures the transfer of personal data is subject to adequate safeguards (e.g., continue to consider post-Schrems II risk assessments and related factors).
New transfers: Parties can use the old clauses for 3 months (until September 24, 2021) for new transfers. After that, parties will need to use the new clauses.
2. What are the key changes?
According to the European Commission, the new clauses address the following:
Updates in line with the General Data Protection Regulation (note the old clauses pre-dated the GDPR)
One set of clauses to address multiple transfer scenarios (versus different sets of clauses depending on the transfer); this expands the types of scenarios covered to include processor-to-processor and processor-to-controller transfers in addition to the previously covered controller-to-controller and controller-to-processor transfers
Flexibility to add more than two parties to the clauses (to address complex data processing scenarios)
A toolbox to comply with Schrems II requirements
3. What should I do next?
Parties using the old clauses should take steps to update their contracts to the new clauses. The timeframe to complete this task will depend on whether the data transfer activities remain the same or plan to change.
Some entities that were previously unable to use the clauses now have the option to use them (processor-to-processor and processor-to-controller). In those cases, the parties can assess if they should enter into the new clauses to facilitate cross-border transfers.
If you make changes to your cross-border data transfer compliance approach, then don’t forget to update your policies and procedures to reflect these changes (such as your website privacy notices or internal process documents).