The new SCCs – more questions than answers?
By Louisa Williams, legal director at TLT LLP
On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (SCCs). It is nearly a year since the European Court handed down its judgment in the Schrems II case, so the publication of the new SCCs is welcome news for many organisations across Europe and beyond.
The new SCCs seek to address the complex requirements laid out by Schrems II, and lay to rest some of the speculation and uncertainty following the Schrems II judgment.
Key points to note
With that said, many questions remain unanswered. For organisations carrying out data transfers subject to the UK GDPR, the ICO intends to issue draft new SCCs for consultation this summer. In the meantime, UK organisations must continue to rely on the previous EU SCCs when undertaking data transfers that are subject to the UK GDPR. However, for organisations transferring data from both the UK and the EEA to a third country, like the United States, they may well be asking: how will these two separate forms of SCCs work together?
Given that this question and so many others remain unanswered for UK-based businesses, some may well be questioning whether it is permissible to wait until the UK version is published in final form before repapering existing contracts. However, for those businesses that are subject to the EU GDPR, it is clear that the publication of the new SCCs marks the start of a lengthy project of contract repapering, international data flow mapping and contingency planning for businesses, rather than a conclusion to the uncertainty which has prevailed for the last 12 months.
Given the uncertainty around the SCCs and the now invalid EU-US Privacy Shield (and any replacement to it, whether at a UK and/or EU level), we are seeing increasing numbers of global clients look again at submitting a Binding Corporate Rules application to protect their internal transfers, in the hope and expectation that it provides greater protection against what has become a fairly volatile area of law. We do not expect to see an end to the ongoing challenges against organisations which transfer data overseas in reliance upon the SCCs, and against the regulators which are responsible for enforcing compliance with the EU GDPR.
Appreciating the major task which now faces organisations of all scales, organisations may likely turn to their AI solutions where possible to read contracts and identify those which need to be varied to introduce the new SCCs. This could save a considerable amount of time for organisations undertaking a repapering project, and should allow businesses to significantly reduce the cost of ensuring compliance now that the new SCCs have been launched.
Louisa will be joined by TLT colleagues Emma Erskine-Fox, Grace Roddie and Gareth Oldale for a webinar ‘Delving into the new SCCs’ on Wednesday 14 July 2021. Find out more and register to attend via their website.