Ever since the July 2020 ruling by the Court of Justice of the EU in Schrems II, which invalidated the EU-U.S. Privacy Shield, the transfer of personal data from the European Union/European Economic Area (EU/EEA) to the US has been facilitated almost exclusively by integrating the Standard Contractual Clauses to relevant contractual arrangements.
The Standard Contractual Clauses are contractual provisions preapproved by the European Commission, which govern how a receiving party (the importer) will handle personal information. These Clauses also impose on the importer certain obligations and requirements to ensure appropriate data protection.
On June 4, 2021, the European Commission published new sets of Standard Contractual Clauses to replace the original 2001 Standard Contractual Clauses that had been used to-date.
The first set of new Standard Contractual Clauses replaces the original set, relating cross-border data transfers to third countries. These clauses feature more flexibility for complex processing chains, through a ‘modular approach’ (transfers between controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller) and by offering the possibility for more than two parties to join and use the clause.
In addition to the above-mentioned set of Standard Contractual Clauses, the European Commission also added a second set of clauses. These are composed of entirely new contractual terms between controllers and processors. The intent behind these contractual terms is to set a consistent standard for the relationship between controllers and processors.
The new Standard Contractual Clauses provide a more exhaustive and adequate compliance that needs to be integrated to contracts pursuant to the requirements of the General Data Protection Regulation (GDPR) that was adopted in May 2018, and the conclusions of the Court of Justice of the EU in Schrems II.
Implementation of the New Standard Contractual Clauses
The new Standard Contractual Clauses are in force and have taken effect since June 27, 2021.
However, the European Commission has issued a multi-step approach for the implementation of the new Standard Contractual Clauses, as follows:
- The old Standard Contractual Clauses will still be deemed valid and be used for new agreements that involve data transfers during a three-month transition that started on June 27, and ended on September 27, 2021.
- Commencing September 27, 2021, all new agreements involving data transfer (from the EU/EEA) will be required to incorporate the new Standard Contractual Clauses.
- Any agreement that was executed before September 27, 2021, relying on the old Standard Contractual Clauses may continue to be used and regarded as valid until December 27, 2022. Starting December 27, 2022, all the agreements relying on the old Standard Contractual Clauses must be changed or amended to incorporate the new Standard Contractual Clauses. The timeline applies to any downstream subcontracting agreements.
Due to the above timeline, Possinger Law Group recommends that clients review their existing agreements involving data transfer from the EU/EEA to determine how they are affected by the new Standard Contractual Clauses, while also identifying what administrative or technical changes may be required in order to remain in compliance. It is highly recommended to hire a professional legal consultant knowledgeable in EU data privacy law to assist with this matter.