July 24, 2021

Volume XI, Number 205

Advertisement

July 23, 2021

Subscribe to Latest Legal News and Analysis

July 22, 2021

Subscribe to Latest Legal News and Analysis

July 21, 2021

Subscribe to Latest Legal News and Analysis

Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).

So what’s new? Among other changes, two of the biggest differences in these new “cross border” SCCs is the modular approach and provisions to address Schrems II. The new SCCs combine a set of non-negotiable, standard clauses, along with a modular approach, so companies can adapt the SCCs to different data transfer scenarios. The previous SCCs contemplated only two transfer scenarios: controller-to-controller transfers and controller-to-processor transfers. Now, the SCCs contemplate more realistic transfer situations, including Controller-to-Controller transfers (Module 1); Controller-to-Processor transfers (Module 2); Processor-to-Processor transfers (Module 3); and Processor-to-Controller transfers (Module 4). In relation to the Schrems II ruling, the new SCCs allow organizations to take a risk-based approach when assessing the possibility of (foreign) public authorities accessing the data under their local laws. This means, for example, that a data importer’s mere eligibility to receive data disclosure directions under Section 702 of the U.S. FISA Act should not automatically stop the ability to transfer data, if the parties can demonstrate that the likelihood of such disclosures is sufficiently low.

What’s the timing? The new cross-border SCCs can be used instead of the old terms starting June 27, 2021. From June 27, 2021 until September 27, 2021, both the “old” SCCs and the new SCCs can be used for new contracts. However from September 27, 2021 onwards, only the new SCCs can be used for new contracts. There is an 18 month grace period for existing contracts under the old SCCs. This means that by December 27, 2021 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.

So what is the second set of SCCs? The EC has also issued SCCs for transfers of information between controllers and processors. These clauses can be used by entities operating solely within the EU, and can be incorporated into a broader contract between the parties. Provisions include those contemplated under GDPR, including that processors will use information only as set forth in the SCCs, and will provide security for information processed. While companies are not required to use these controller-processor SCCs and could instead negotiate and include each of the elements required to be contained in a controller-processor agreement under GDPR, using these SCCs could make the contracting process simpler. (These SCCs do not contain cross-border provisions, which would still need to be addressed where relevant.)

Putting it into Practice. During this grace period, companies relying on old SCCs for cross-border data transfers should start inventorying existing arrangements and prepare to implement the new cross-border SCCs. Even though these new SCCs have been designed to largely address the requirements of Schrems II, companies will still need to assess whether the cross-border SCCs alone will suffice or whether any other additional measures are needed. For data importers in particular, this may include preparation of a transparency report and transfer impact assessments. With respect to intra-EU transfers between controllers and processors, companies can rely on these new SCCs to address GDPR obligations.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 167
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Oliver Heinisch, Sheppard Mullin, Antitrust Regulation Lawyer, Fair International Competition Attorney,
Partner

Oliver Heinisch is a partner in the Antitrust and Competition Practice Group in the firm's London office.

Mr. Heinisch advises on all areas of EU, UK and German competition law with a focus on international cartel and abuse of dominance procedures including related antitrust litigation matters as well as merger control law. He has substantial expertise in advising on the interface between intellectual property and competition law mainly in the context of complaint cases, investigations of competition authorities and intellectual property...

32 (0) 2 290 7904

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement