The New Standard Contractual Clauses
In June 2021 the European Commission issued new Standard Contractual Clauses, or ‘SCCs’. SCCs are essentially model contract clauses which have been approved in advance by the European Commission. The object of these SCCs is to essentially provide a standard baseline for ensuring the apt level of data protection for data transfers from the EU to third countries. Indeed, these are required to be adhered to by data controllers and processors in case of such transfers. The new SCCs replace those which were issued under the Data Protection Directive 95/46 – the precursor data protection regime to the General Data Protection regulation (‘GDPR’). The clauses contained in the SCCs are essentially intended to ensure that the controller or processor receiving possession of the data outside the EU/EEA will be on a comparable legal footing with their counterparts subject to EU data protection law.
The SCCs & the Data Transfer Between the EU and the US
The new SCCs will not only be instrumental for facilitating data transfers from controllers or processors in the EU/EEA to controllers or processors established outside of the EU/EEA, but also to perhaps also fill in the gap which was left by the Schrems II judgment. In this case the Court of Justice of the EU (‘CJEU’) effectively rendered the EU-US privacy shield invalid, striking a considerable blow to the smooth relay of data transfers between the EU and the US. Whilst the SCCs are more aimed at aptly facilitating data transfers from within the EU/EEA to a country outside of it, the SCCs can nevertheless be hailed as an aid for data transfers which may need to occur from within the EU to the US.
The impact of the Schrems II case invalidating the EU-US privacy shield has been rather substantial, considering in particular that transfers from the EU to the US were not being treated as transfers to a non-EU/EEA country, and thus, not requiring 'additional safeguards' to ensure the handling of data once it leaves the EU/EEA. The privacy shield, in fact, facilitated such transfers between the EU-US with the same ease as if the data transfer was occurring between two or more EU/EEA Member States. The Schrems II case, however, had also raised doubts as to whether even SCCs – between the EU and US – would be affected. Nonetheless, the court assured that the SCCs utilised between the two continents would not likewise be impacted.
These updated SCCs are essentially already in force, and should be availed of by all data controllers and processors for third country transfers of data. The EU implementing decision introducing the new SCCs entered into force on the 27th June 2021.