On June 4, 2021, the European Commission adopted new sets of standard contractual clauses (new CCNs) that organizations can use when transferring personal data protected by the General Data Protection Regulation (GDPR) to countries outside the European Union (EU). The new SCCs were long overdue, but their issuance creates a number of tasks for the multitude of organizations that have used current versions of SCCs to legally transfer personal data from the EU to non-EU countries. in the years following the entry into force of the GDPR. effect.
The previous versions of the standard contractual clauses that the New CCNs will replace were issued in 2004 (from data controller to data controller) and 2010 (from data controller to processor), well before the drafting and implementation of the GDPR. Nevertheless, these standard contractual clauses have been of crucial importance for compliance with the GDPR. The GDPR provides that transfers of personal data from the EU to a third country (such as the United States) are prohibited by default, unless adequate safeguards for the data are in place. SCCs provide such guarantees, and previous versions have been widely used for cross-border data transfers since the GDPR came into effect in May 2018. The new SCCs represent a substantial overhaul of previous versions, implementing safeguards implemented updated to align with those offered by GDPR and also respond to concerns raised by the Court of Justice of the European Union in its Schrems II stop last summer, which invalidated the EU-U.S. Privacy Shield and called into question the adequacy of other protective measures for transfers of personal data to third countries, including the United States
The new SCCs offer more flexibility to make data transfers GDPR compliant. The parties choose the module applicable to the relationship between the parties and use the clauses specific to this module. The new SCCs offer four modules that can be used for data transfers from:
- One controller to another controller (C2C)
- One-processor controller (C2P)
- One processor to another processor (P2P)
- One processor to one controller (P2C)
Under the GDPR, a controller is the entity that determines the purposes and means of processing personal data, while a processor only processes personal data on behalf of and under the direction of a controller. processing. Older SCCs did not have this flexibility and did not account for processor-to-processor or processor-to-controller data transfers at all.
- Organizations can start entering the new SCCs on June 27, 2021.
- Organizations can continue to contract using old CSCs for three months until September 27, 2021.
- Contracts incorporating the old SCCs have an 18-month transition period to enter the new SCCs, with a final expiry date of December 27, 2022.
After September 27, 2021 and during the transition period, old SCCs are still valid but organizations cannot enter into new contracts with old SCCs.
What is the impact of the new SCCs on data transfers involving entities in the UK?
Since the UK left the European Union on January 31, 2020, there have been many questions about the UK’s relationship with the EU for GDPR purposes. On May 5, 2021, the UK Information Commissioner’s Office (ICO) announced that it was working on a bespoke set of its own SCCs to be used when transferring data protected by UK Privacy Act. data to countries outside the UK. to publish a draft version of these SCCs for public review in the summer of 2021. The ICO will also consider whether to allow entities to use the new EU SCCs for such transfers. At present, therefore, the new SCCs established by the EU are not valid for restricted transfers from the UK. Organizations can continue to use the old EU SCCs for transfers from the UK to non-EU countries until the ICO issues its bespoke SCCs and / or the ICO approves them. new SCCs. The ICO created British versions of old SCCs so that they make sense in a British context.
Take away food
In light of the potentially divergent approaches to CCS taken by the EU and UK, organizations may need to enter into multiple sets of CCS with their service providers and clients depending on where people are located. concerned. Organizations are expected to seek tailor-made UK SCCs from the ICO and advice from EU regulators on new SCCs later this year.
Organizations should review their contracts with their service providers and clients to create a plan to review (once again) their contracts in order to close new SCCs by December 27, 2022. For service providers who deal with personal data in the UK and EU, and until the ICO publishes their tailor-made SCCs and / or issues a decision on new SCCs – organizations should ensure they have the old SCCs (or UK versions) in place to cover UK personal data.