On Friday, the European Commission published the final version of its new standard contractual clauses for transferring personal data to non-EU countries ("New SCCs"). This follows the earlier publication of a draft version of the New SCCs in November 2020. The final version retains the modular approach for different types of transfers proposed in the draft version, as well as obligations designed to achieve compliance with the principles laid down in the Schrems II judgment, while also making significant changes in a number of key areas. We'll be sharing further insights during the course of this week on our Connect on Tech blog, but there are several key points worth noting at this early stage:

  • Implementation period: the implementation periods have been extended. In summary:
    • The decision implementing the New SCCs will enter into force on 27 June 2021 ("Implementation Date").
    • The existing standard contractual clauses ("Old SCCs") will be repealed three months after the Implementation Date, i.e. from 27 September 2021 ("Repeal Date").
    • Old SCCs entered into before the Repeal Date will remain valid for 15 months following the Repeal Date, i.e. until 27 December 2022.
  • This means that organisations:
    • have just over 18 months to replace Old SCCs entered into before the Repeal Date; and
    • do not have to start using the New SCCs for new agreements for just over 3 months, i.e. until after the Repeal Date.
  • Schrems II: in assessing the data importer's ability to comply with the New SCCs, the parties can take into account subjective factors, namely the data importer's practical experience with requests for disclosure from public authorities. However, consideration of these factors is subject to strict conditions, and conclusions must be supported by other objective elements. This is clearly a positive development for organisations. However, the EDPB, in its recommendation on supplementary measures, ruled out consideration of subjective factors, and it therefore remains to be seen whether it will alter its position in the final version of the recommendation, due to be released later this month.
  • Territorial scope: the New SCCs are only required where the data importer is not directly subject to the GDPR.
  • Hierarchy: it's still unclear in the final version how contradictions between the New SCCs and commercially-agreed positions in related agreements will be resolved in practice. For example, it's possible that an exclusion or limitation of liability would contradict the New SCCs, since the New SCCs arguably provide for unlimited liability for damage caused by their breach. Although the EDPB and EDPS, in their joint opinion on the New SCCs, had requested clarity on the kinds of clauses which would contradict the New SCCs, that clarity has not been forthcoming in the final version.
  • UK: The New SCCs cannot be used for transfers of personal data from the UK to third countries for the purposes of the UK GDPR (although the Old SCCs can continue to be used for these purposes). However, the ICO intends to consult on and publish UK standard contractual clauses for the purposes of the UK GDPR during the course of this year.

Organisations should start preparing to use the New SCCs for future agreements following the Repeal Date of the Old SCCs, as well as planning to update existing agreements that use the Old SCCs by replacing these with the New SCCs during the 18 month implementation period.