The European Commission Publishes Comprehensive Contractual Clauses For Use in Data Transfers from Europe
In June, the European Commission published the final version of a new set of standard contractual clauses (SCCs) that can be used to comply with the EU’s General Data Protection Regulation (the “GDPR”). These clauses are of particular importance to US companies dealing with companies in the European Economic Area (EEA) because the most commonly used alternative to the SCCs had been the EU-US Privacy Shield, which the European Court of Justice invalidated last year.
The new regulations have a phase-in period, when all existing contracts that rely upon the old versions of the SCCs will likely have to be revised. The key dates are 27 September 2021, before which time companies may continue to use the old SCCs; and 27 December 2022, when use of the old SCCs will not be sufficient to comply with the GDPR.
The new SCCs are both more flexible and more demanding than the old ones. For flexibility, they are drafted in a modular form that allows companies to choose only those provisions that apply to the relationships that they have with each other and with respect to the data. They also apply to relationships that had not been covered at all by the old SCCs, such as transfers from one data controller to another. And they permit the addition of new parties to SCCs previously agreed upon by two or more initial signatories.
The new burdens are significant. In particular:
These and other details vary from module to module. Thus, the obligations of a US company receiving personal information about EU residents may vary depending upon which party (if any) is a “controller” of that data, and which party (if any) is a “processor” of that data.
In short, if your business involves the receipt of information about EU residents from another company, you can expect to have to overhaul existing SCCs that you have in place and to use the new SCCs in any new contracts signed after September 27, 2021.