He was reported that the European Commission will publish the final versions of the new forms of standard contractual clauses (“CSC”) Shortly (even potentially in the next few days). The Commission has published preliminary versions of these CCPs and of the implementation decisions of the Commission in December 2020. These new CCPs are, without doubt, the most important development of European data protection law since the entry into force of the General Regulation of EU on data protection (“GDPR”) In May 2018, or three years ago this month. These new SCCs will replace previous versions of SCC, some of which date from 2001 and predate the GDPR. We are closely monitoring developments in this area and will report on new CCNs as soon as they are released. We expect the impact of these SCCs to be significant on organizations that are directly subject to the GDPR or that receive personal data from organizations subject to the GDPR.
As everyone knows, SCCs are model data transfer agreements that allow data exporters in the European Economic Area (“EEE“) To transfer personal data to countries outside the EEA which the Commission considers to provide an” inadequate “level of data protection in accordance with the EU General Data Protection Regulation. (Countries in this category include Australia, Brazil, China, India, and the United States.) The new SCCs include four different forms of controller-to-controller, controller-to-processor, processor-to-controller, and processor to processor compared to only two forms in current versions, namely Controller-to-Controller, Controller-to-Processor. Compared to the current SCCs, the new SCCs also impose significantly strengthened obligations on both exporters and importers of data to reflect both the entry into force of the GDPR in 2018 and the decision of the Court of Justice of the United Kingdom. ‘European Union in the Schrems II cases in 2020.
Based on press reports, the final versions of new CCPs may, at least in part, be substantially different from the draft versions published in December. For example, a longer period can potentially be offered to organizations to transition to new SCCs from existing SCCs. Many organizations also hope that the final versions of the new CCPs will help resolve some tensions between the December draft version and the European Data Protection Board’s guidance on Schrems II compliance (including whether organizations are allowed to take a risk-based approach to assess data protection risks in the country of importation of the data.)