On June 4, 2021, the European Commission adopted modernized standard contractual clauses (“SCCs”) for use in international data transfers (collectively the “Clauses”). These updated Clauses reflect new requirements under the EU’s General Data Protection Regulation (GDPR) and take into account the EU Court of Justice’s Schrems II decision, which invalidated the U.S.-E.U. Privacy Shield program in July 2020. The Clauses also address known short-comings with the old SCCs.
The GPDR restricts transfers outside of the EU unless an exception applies. Generally, this means a controller (i.e., a person or entity that is in charge of how data is processed) or processor (i.e., a person or entity processing at the direction of a controller) may transfer personal data internationally only if it has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for EU citizens are available. For international transfers of data to countries such as the U.S., SCCs are therefore essential for compliance with the GDPR. Following is an overview of some of the more notable changes and what to plan for if you rely on SCCs as a data transfer mechanism.