The European Commission published new Standard Contractual Clauses (SCCs) on June 4, 2021, replacing the three sets of old SCCs that organizations have relied on for years to transfer personal data from the European Union to third countries. The new SCCs introduce significant changes, including new module structures, enhanced Transfer Impact Assessment (TIA) requirements, and a response to the CJEU’s Schrems II decision.
Background: Why New SCCs?
The Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in July 2020 in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II). The court held that the Privacy Shield provided insufficient protection for EU personal data transferred to the United States. While the court upheld the old SCCs as a valid transfer mechanism, it imposed new obligations on organizations relying on SCCs, including the requirement to assess whether SCCs provide adequate protection in the specific context of each transfer, known as a Transfer Impact Assessment (TIA).
The new SCCs were designed to incorporate these Schrems II requirements and provide a more modular, flexible approach to cross-border transfers.
Key Features of the New SCCs
Four Modules
The new SCCs include four modules to address different controller/processor relationships:
| Module | Transfer Type |
|---|---|
| Module 1 | Controller to Controller (C2C) |
| Module 2 | Controller to Processor (C2P) |
| Module 3 | Processor to Processor (P2P) |
| Module 4 | Processor to Controller (P2C) |
Organizations must select the appropriate module(s) based on the role of each party in the data transfer relationship.
Key Clauses
Clause 14: Transfer Impact Assessment (TIA)
The new SCCs require parties to conduct a TIA demonstrating that the laws and practices of the destination country do not undermine the protection provided by the SCCs. The TIA must consider factors including the laws and practices of the destination country relating to government access to personal data, and any relevant experience of the data exporter and/or importer.
Clause 15: Government Access Notification
The data importer must notify the data exporter (and, where possible, data subjects) of any legally binding government request to disclose personal data transferred under the SCCs.
Clause 17: Governing Law
The new SCCs allow parties to choose the governing law of any EU Member State, provided the choice permits third-party beneficiary rights.
Clause 18: Choice of Forum and Jurisdiction
Data subjects may bring claims against the data exporter or importer before the courts of the Member State in which the data exporter is established.
Compliance Timeline
The compliance deadlines for transitioning from old SCCs to new SCCs were:
| Milestone | Deadline |
|---|---|
| New SCCs in force | June 27, 2021 |
| Old SCCs no longer valid for new contracts | September 27, 2021 |
| Migration of existing contracts required | December 27, 2022 |
As of December 27, 2022, all processing subject to the old SCCs must have transitioned to the new SCCs or another valid transfer mechanism.
Action Steps for Compliance
- Inventory existing SCC agreements: Identify all contracts currently relying on old SCCs
- Determine applicable modules: Assess the controller/processor relationship for each transfer relationship
- Conduct Transfer Impact Assessments: For each transfer relationship, assess whether the destination country’s laws adequately protect the transferred data
- Update contracts: Replace old SCCs with appropriate new SCC modules
- Implement supplementary measures where needed: Where TIAs identify risks, implement appropriate technical, contractual, or organizational supplementary measures
- Address Clause 14 documentation: Maintain documentation of TIAs and the basis for conclusions about destination country law
- Update internal procedures: Revise data mapping, privacy notices, and vendor management processes to reflect new SCC requirements
Impact on U.S. Organizations
U.S. organizations that receive EU personal data under the old SCCs needed to transition to the new SCCs by December 27, 2022. Organizations that have not yet completed this migration should do so immediately.
Additionally, the new SCC requirements for TIAs and government access notification may require U.S. organizations to update their internal legal analysis procedures and contractual documentation practices.
For assistance evaluating your organization’s SCC compliance, contact Fey LLC. The EU-U.S. Data Privacy Framework, adopted in July 2023, now provides an additional (and potentially simpler) alternative to SCCs for eligible U.S. organizations, see our post on the new EU-U.S. adequacy decision.
Need privacy guidance?
Fey LLC helps organizations navigate complex data privacy and cybersecurity challenges.
Contact Us