On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.
The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data. This approach was disputed by the European Data Protection Board (EDPB) and the European Data Protection Supervisor in their joint opinion on the Commission’s draft SCCs which was published in November 2020 (the Joint Opinion) who consider that even theoretical access to personal data is of concern.
Companies now have 18 months to update their supplier contracts and other data export arrangements.
Click here to read our Standard Contractual Clauses deep dive publication. This includes an explanation of key points to note, including how the new clauses deal with the requirements of the Schrems II case.
On Monday 14 June we hosted a webinar to discuss the impact of the new SCCs in more detail. Click here to watch it on-demand.