In 2021, the European Commission updated the EU Standard Contractual Clauses (SCCs) to ensure the lawful transfer of personal data to countries outside the European Economic Area, also known as third countries. The previous SCCs did not reflect the General Data Protection Regulation’s (GDPR) stringent data transfer requirements and therefore had to be updated to address the new realities faced by businesses. The updated SCCs take into account GDPR compliance and the Schrems II ruling, which invalidated the EU-US Privacy Shield. This article explains SCCs, their importance, and how to implement them. It also briefly compares the old and new SCCs to help understand their differences.
SCCs were first introduced in the 1995 Data Protection Directive to ensure the lawful transfer of data from the EEA to third countries. They were especially important for businesses in third countries without an adequacy decision, such as U.S. businesses, which relied on the EU-US Privacy Shield for international data transfers until its invalidation by the Schrems II case on July 16, 2020. SCCs became the most common and appropriate safeguard used by U.S. businesses to facilitate international data transfers.
The old SCCs may no longer be the foolproof data transfer mechanism they once were, so the EDPB requires data exporters to perform a case-by-case analysis to examine if SCCs provide sufficient protection for certain data transfers. In cases where sufficient protection cannot be guaranteed, data exporters must implement additional technical and organizational measures (TOMs). The developments surrounding the Schrems II ruling, coupled with the old SCCs’ age, contributed to the need for updated SCCs.
Standard Contractual Clauses are a model data transfer mechanism primarily designed to help controllers and processors legally facilitate data transfers to third countries. SCCs are a standardized and pre-approved model data protection clause that allows controllers and processors to comply with their obligations under EU data protection law. SCCs can be incorporated into contractual arrangements between parties, such as commercial partners, to avoid liability and retain GDPR-like protection for EU personal data even after leaving the EEA.
The European Commission released the “New SCCs” to replace the old ones and better facilitate international data transfers while strengthening data protection and complying with the GDPR’s provisions. The new SCCs address the deficiencies in the previous version and provide more legal predictability to EU businesses while offering more flexibility for complex data processing chains.
The new SCCs feature several modifications and quality enhancements from the old SCCs to align with the GDPR requirements and the Schrems II ruling. The new SCCs have a more flexible and encompassing structure that contains four modules for four cross-border transfer scenarios, all codified into a single document. They place more focus and impose significant obligations on data importers, especially importers who act as controllers. The new SCCs include safeguards against government access to personal data and third-country laws.