The European Commission's new SCCs for data transfers
The GDPR recently marked its three-year anniversary, but one aspect of compliance for many companies is much older. Standard contractual clauses (SCCs), the mechanisms that most international organizations used to legally transfer data between the European Economic Area (EEA) and third party countries—like the US—are over a decade old. For organizations moving data in and out of the EEA, the last few years have been complicated. The EU-US privacy shield was struck down in 2020, and most companies have been left relying on older SCCs with the hopes that they were in compliance.
Fortunately, as of June 4th there are new standard contractual clauses that map more nicely to actual data practices and offer guidance to organizations looking to move personal data across borders.
Companies will have until December 2022 to switch over to the new format. The National Law Review outlines some key new features of the SCCS, such as:
- Modular provisions that allow for controller-to-controller, controller-to-processor, processor-to-processor- and processor-to-controller data transfers.
- A new requirement that parties complete a transfer impact assessment (TIA) to confirm that laws in the third party country are adequate to those provided by the GDPR.
- Notification requirements for when governments request to access personal data.
- A path for non-EEA processors to use sub-processors for "onward" data transfers.
- Provides more power to data subjects, such as allowing hem to personally enforce the SCC and request copies of SCCs.
- Emphasis on security. Specifically, the SCCs require a detailed description of security measures for each module.
Are these a perfect solution to the lack of privacy-shield? No, but they do remove some uncertainty for how to deal with data transfers to third party countries. You can learn more about the SCCs and see their full text at the European Commission's site.