The Schrems II decision invalidated the EU-U.S. Privacy Shield and questioned the legitimacy of the Standard Contractual Clauses (“SCCs”), leaving many multinational organizations wondering how to safely send or receive personal data originating inside the European Economic Area (“EEA”) outside the EEA. On June 4, 2021, the European Commission published their final version of the new SCCs.
The new SCCs introduce a modular concept and follow in the footsteps of the old SCCs by addressing controller-to-controller and controller-to-processor transfers. The new SCCs break new ground by addressing processor-to-processor and processor-to-controller transfers. Additionally, reflecting the Schrems II decision, the new SCCs require the parties to conduct a “transfer impact assessment” to determine whether the laws of the importing country have sufficient data protections for a lawful transfer. A finding of inadequate protection will require supplementary measures, like encryption, to be put in place. We expect the European Data Protection Board to provide final guidance on the transfer impact assessments.
Fortunately, companies have a grace period to adjust to the new SCCs, as they can rely on the old SCCs for new transfers for the next three months. Existing transfers can remain on the old SCCs for eighteen months.
Here are some ways companies can start preparing for the new SCCs:
- Create a new data map to understand where any personal data is coming from or being transferred to.
- Conduct a transfer impact assessment and perform diligence on customers or vendors in connection with data transfers.
- Identify existing transfers and categorize the type of transfer (controller to controller, processor to controller).
- Begin the process of amending applicable contracts and/or data processing agreements to incorporate the new SCCs.
- Update any model agreements to incorporate new SCCs.
The eighteen-month deadline for existing transfers, December 2022, will come quickly and it is imperative that companies start preparing their data privacy practices now.