New rules for SCCs: What you need to know

Launched June 4, the “revamped” SCCs unveiled by the European Commission are meant to be more closely aligned with the General Data Protection Regulation (GDPR) and less susceptible to government prying—a situation that led to the collapse of the EU-U.S. Privacy Shield in 2020.

They contain specific provisions meant to control or limit the extent of any potential requests by governments or investigatory authorities in third countries to access any personal data being transferred. For instance, there is now an obligation to notify the data exporter if the data importer becomes subject to laws or practices that might infringe the clauses.

Further, data importers will also be obliged to reasonably challenge governmental access requests where they infringe fundamental rights of the data subjects.

The new SCCs also contain provisions regarding maintaining data processing records; notifying data subjects about the details of the data transfers; personal data breaches; cyber-security measures; whether/how parties may contractually limit their liability; and choice of law and dispute resolution.

Data subjects are allowed to request copies of SCCs (subject to certain redactions), as well as directly enforce many of the clauses’ provisions. Lawyers say this increases parties’ exposure to potential privacy litigation.

In addition to the increased obligations, the SCCs also provide some compliance shortcuts. For example, the new clauses allow both non-European Economic Area controllers and processors to use the SCCs for onward transfers of personal data. This allowance will permit companies to pass imported data onto third parties without the need for a separate SCC. New parties can also be added more easily through a “docking” clause rather than requiring the SCCs to be re-executed every time.

The new SCCs come into force June 27. Organizations may continue to use the current clauses until Sept. 27 but must transition all SCCs concluded before that date by Dec. 27, 2022. This means organizations will need to embark on a mass repapering exercise to ensure all vendor contracts and intragroup agreements contain the new SCCs if personal data is transferred.

While the latest SCCs strengthen the abilities of data controllers to prevent access to personal data through national surveillance laws, they are not bulletproof. Companies transferring data between the European Union and third countries will still need to take precautions and a risk-based approach. This includes:

• Assessing the risks of transferring the data;
• Taking into account what kind of personal data is being transferred (and for what purpose);
• Assessing how the legislation and practices in the third country of destination may impact the level of data protection; and
• Continuing to use supplemental safeguards (including technical and organizational measures) to ensure the data is protected to a level essentially equivalent to that afforded in the European Union.

Law firms warn that companies should not ignore the obligations imposed upon them when they transition to the new SCCs. In particular, Wolf Theiss advises companies to:

• Review and document the adequacy of the level of data protection for any third country where data is being transferred;
• Document any supplementary/technical measures put in place in addition to the SCCs; and
• Double-check privacy notices and inform data subjects which SCCs are in place and how they can receive a copy of them.