EU Commission Publishes New SCCs
Thank you to Lydia de la Torre of Golden Data Law and to Monica Tapavalu of Enlightened Privacy, PC for their contributions to this article.
What are SCCs and why are they important?
Standard Contractual Clauses (SCCs) are contractual provisions for personal data transfers pre-approved by a regulator as compliant with applicable laws.
You probably have heard the term “SCCs” most frequently refer to the Controller-Processor and Controller-Controller data transfer Clauses approved by the European Commission, which are currently widely used by organizations to design and implement compliant data transfer schemes. (Fun fact! You may not be aware that there are other SCCs beyond the European data transfer ones, such as the SCCs in Argentina and New Zealand.)
What are the new developments regarding SCCs?:
Since the General Data Protection Regulation (“GDPR”) went into effect, the European Commission has been working on updating the existing SCCs to align them with GDPR. On June 4, 2021, the European Commission published (i) the final version of SCCs for transfers of personal data to third countries (i.e. cross-border transfers) under the GDPR (for compliance with Article 44 et sec. of GDPR which establish limitations on cross-border transfers), as well as (ii) the final version of controller to processor SCCs (for compliance with Article 28 of GDPR which establishes the requirements for controller to processor contracts.)
“Wait, I’m confused!” you say? Not to worry! As a refresher, think of data transfer compliance under GDPR as having two parts, like two sides to a cassette tape. Side A addresses the cross-border restrictions found under Article 44 of the GDPR. Most companies have used the existing SCCs for Side A compliance. Side B addresses controller to processor transfer compliance under Article 28 of the GDPR. Most organizations have created their own DPA template to address Side B compliance. The new SCCs create standard clauses now for both Side A and Side B compliance.
The new SCCs for transfers of personal data to third countries (Side A) take a modular approach and include general provisions that apply to all transfers and several provisions that apply to specific types of transfers and must be selected based on the status of the parties under the GDPR. The types of transfers covered by the SCCs for transfers of personal data to third countries include:
Controller-to-controller (C2C) transfers;
Controller-to-processor (C2P) transfers;
Processor-to processor (P2P) transfers; and
Processor-to-controller (P2C) transfers
You can read the European Commission press release here, the Controller-Processor SCCs here, and the Third Country Transfer SCCs here.
When will they be effective?
Effective Date: The SCCs will be effective 12 days after publication in the Official Journal of the European Union.
For new transfers — when to stop using old SCCs: The former SCCs for transfers of personal data to third countries will be repealed three months after the new SCCs are published in the Official Journal, and organizations will not be able to rely on the former SCCs for new data transfers after that date.
For existing contracts using old SCCs — when to implement new SCCs: Existing contracts for cross-border transfers that already incorporate the former SCCs will remain valid but only for 18 months after the new SCCs are published in the Official Journal.
What should organizations that transfer data to third countries do now?
Organizations that rely on SCCs for cross-border transfers should take immediate action to make sure they remain GDPR compliant. Below we summarize the main action items we are recommending at this time, but please do not hesitate to reach out so that we can discuss over the phone what is the best strategy for your particular situation:
Before September 1st, 2021: Update templates to ensure that the new version of SCCs is used in all NEW contracts involving cross-border transfers. Provide internal training as to how to select the correct modules for each particular contract and fill out the correlated annexes (C2C, C2P, P2P or P2C).
Before January 1st, 2022: Identify all existing contracts that rely on the old version of SCCs for transfers of personal data to third countries and the particular type of transfer they cover (C2C, C2P, P2P or P2).
Before November 1st, 2022: Update contracts relying on the old version of SCCs for transfers of personal data to third countries to include the new version instead.
What should organizations that use Data Protection Addendums (DPAs) to comply with GDPR C2P contractual requirements under Article 28 do?
As opposed to the new SCCs for transfers of personal data to third countries, organizations currently relying on Article 28-compliant DPAs are not required to adopt the controller to processor SCCs released by the European Commission. However, updating DPAs to better align them with the version released by the European Commission can be beneficial to reduce friction during future contractual negotiations. This is particularly true for frequently negotiated clauses such as audit provisions.
What about the UK?
The new SCCs cannot be used for the UK as it is not a member of the European Union. It is expected that the UK Information Commissioner’s Office will adopt a similar set of clauses for data transfers from the UK in due course.
What is the most efficient way to conduct a gap assessment and implement the necessary updates?
Adopting the new SCCs will be a significant lift for organizations, particularly because they are required to update existing contracts within a relatively short period of time. However, there are a few strategies that in our experience can help maximize the resource investment while ensuring the project is successfully completed.
Here are a few tips:
Scope the project early and secure resources: This is key to success and should be the first priority. Considerations: (a) identify the internal resources needed; (b) reach out to relevant stakeholders; (c)engage external resources as needed to help with contract negotiations.
Be holistic and strategic about your contractual compliance approach: To the extent possible, try to apply the same contractual provisions across all jurisdictions. A holistic approach can be operationally beneficial, even where it might result in increased requirements in jurisdictions where the laws allow for flexibility. For organizations subject to the new California Privacy Rights Act (CPRA) and/or Virginia’s Consumer Data Protection Act (CDPA), aligning your contractual compliance approach with the GDPR will result in significant synergies and greatly reduce the need for resources over time.
Keep it as simple as possible: As much as possible, invest the time and resources up-front to design a set of DPA templates that are as streamlined and commercially viable as possible. Consider creating or updating a “playbook” with different options to reduce friction in negotiations. Since the enactment of GDPR, the privacy contractual compliance trend has been towards increased complexity driven by the overlapping jurisdiction-specific requirements. We are at a point where the length of the data transfer provisions in a given contract can significantly exceed the length of the provisions in the underlying contract (the new SCCs for transfers to third countries alone are 36 pages long.) Creating a simple ledger of contracts involving data transfers can prove intensely helpful down the road as new legal requirements are implemented to minimize the need for additional updates.
While this may at first seem like yet another scramble for compliance, it can be managed with a thoughtful, step-by-step approach. Think of this as an opportunity to enhance and improve existing contracts and an opportunity to identify and close any existing gaps. We’re here to help you think through those steps and move into this next era of contractual compliance. Just reach out with questions!
And to help provide a bit of calm perspective and make this process smoother, below is a brief “guided meditation” to help you de-stress and get clear. Enjoy!
A Guided Meditation to the New SCCs
Become aware of any tension or unease you may be feeling about these new SCCs — is there uncertainty? Confusion? Panic? Worry?
Acknowledge it. Now take a deep breath. Exhale and slowly release it, imagining that you’re releasing any stress you first noticed. Know that you have time to get these implemented.
Visualize yourself successfully implementing the SCCs with perfect ease, no friction. What does “success” look like for you and your organization? Imagine that and feel like it’s already happened. You’ve done it!
When you’re ready, return from your visualization, refreshed, energized, and ready to go!