The final version of the new standard contractual clauses (“SCCs”) were published by the European Commission on June 4, 2021. Many organizations that transfer or receive personal data originating in the European Economic Area (“EEA”) outside the EEA will be required to implement these SCCs with their customers, suppliers and affiliates by December 2022 to comply with the EU General Data Protection Regulation (“GDPR”). This is perhaps the most significant GDPR development since the passage of the GDPR. We had foreshadowed this impending development last week.
It has been reported that European Commission will publish the final versions of new forms of Standard Contractual Clauses (“SCCs”) shortly (even potentially within the next few days). The Commission published draft versions of these SCCs and the implementing Commission Decisions in December 2020. These new SCCs are, arguably, the most significant development in European data protection law since the coming into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, which was three years ago this month. These new SCCs will replace prior versions of the SCCs, some of which date back to 2001 and pre-date the GDPR. We are closely monitoring developments in this area and will report on the new SCCs as soon as these are published. We expect the impact of these SCCs to be significant on organizations which are directly subject to the GDPR or which receive personal data from organizations that are subject to the GDPR.
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, ruling, among other things, that U.S. domestic law governing law enforcement access to transferred data does not satisfy the GDPR’s requirements because, as the Court stated, U.S. surveillance programs are not limited to “what is strictly necessary to achieve the legitimate objective in question”. In a separate portion of the opinion, however, the CJEU upheld as valid Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries. This is the second ruling (known commonly as “Schrems II”) by the CJEU overturning an established mechanism to transfer personal data from the EU to the U.S. Indeed, only five years ago the CJEU issued its “Schrems I” decision invalidating the long-standing EU-U.S. Safe Harbor, which had been a method to transfer data across the Atlantic without running afoul of the EU Data Protection Directive, a predecessor of the GDPR.