Nixon Peabody LLP

Trending Topics

    Practices

    View All

    Industries

    View All

    Value-Added Services

    View All

    Alert / Data Privacy & Cybersecurity Alert

    The new Standard Contractual Clauses are (finally) here.

    June 8, 2021

    Share

    By Jenny Holmes

    What’s the Impact?

    • Updated SCCs break new ground by addressing processor-to-processor and processor-to-controller transfers.
    • The new SCCs require the parties to conduct a “transfer impact assessment” to determine whether the laws of the importing country have sufficient data protections for a lawful transfer.
    • Companies have a grace period to adjust to the new SCCs, as they can rely on the old SCCs for new transfers for the next three months.

    DOWNLOADS

    The Schrems II decision invalidated the EU-U.S. Privacy Shield and questioned the legitimacy of the Standard Contractual Clauses (“SCCs”), leaving many multinational organizations wondering how to safely send or receive personal data originating inside the European Economic Area (“EEA”) outside the EEA. On June 4, 2021, the European Commission published their final version of the new SCCs.

    The new SCCs introduce a modular concept and follow in the footsteps of the old SCCs by addressing controller[1]-to-controller and controller-to-processor[2] transfers. The new SCCs break new ground by addressing processor-to-processor and processor-to-controller transfers. Additionally, reflecting the Schrems II decision, the new SCCs require the parties to conduct a “transfer impact assessment” to determine whether the laws of the importing country have sufficient data protections for a lawful transfer. A finding of inadequate protection will require supplementary measures, like encryption, to be put in place. We expect the European Data Protection Board to provide final guidance on the transfer impact assessments.

    Fortunately, companies have a grace period to adjust to the new SCCs, as they can rely on the old SCCs for new transfers for the next three months. Existing transfers can remain on the old SCCs for eighteen months.

    Here are some ways companies can start preparing for the new SCCs:

    • Create a new data map to understand where any personal data is coming from or being transferred to.
    • Conduct a transfer impact assessment and perform diligence on customers or vendors in connection with data transfers.
    • Identify existing transfers and categorize the type of transfer (controller to controller, processor to controller).
    • Begin the process of amending applicable contracts and/or data processing agreements to incorporate the new SCCs.
    • Update any model agreements to incorporate new SCCs.

    The eighteen-month deadline for existing transfers, December 2022, will come quickly and it is imperative that companies start preparing their data privacy practices now.

    1. Controllers are those who determine the purposes and means of processing personal data.
      [Back to reference]
    2. Processors are entities that process personal data on behalf of a controller and at the controller’s direction.
      [Back to reference]
    Privacy

    Insights And Happenings

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe