Personal data can only be transferred to countries outside the EEA if so-called ‘appropriate safeguards’ are in place and data subjects have enforceable rights and effective legal remedies. Appropriate safeguards may include the use of standard data protection clauses approved by the European Commission. In practice, these ‘standard contractual clauses’ (SCCs) are the most evident transfer mechanism when no adequacy decision exists for the third country concerned. This is the case, for example, for data transfers to the US since the EU–US Privacy Shield was invalidated by the Schrems II judgment (read more on this here).
Subsequently, in November 2020, the European Commission published a draft of new SCCs, and the European Data Protection Board (‘EDPB’) adopted recommendations on the additional measures that can be taken when it appears that the legal framework of the third country does not provide equivalent protection (read more on this here).
On 7 June 2021, the final version of the new SCCs was published in the Official Journal of the European Union. The new SCCs contain general provisions adapted to the language of the GDPR and also four ‘modules’ that cover different transfer scenarios:
These modules represent a significant improvement in comparison with the old SCCs, which only covered the first two situations. For transparency of processing, these modules also include the right of data subjects to receive a copy of the SCCs.
In addition, the new SCCs contain three annexes:
Finally, the new SCCs include a number of so-called Schrems II provisions on obligations for data importers in third countries when a public authority wishes to access European personal data.
In terms of timing, the old SCCs only expire on 27 September 2021, so you still have three months from today to choose between the old and new SCCs if you enter into new agreements. For existing agreements, you still have until 27 December 2022 to replace the old SCCs with the new SCCs, but nothing prevents you from making this update today.
Even when companies use the new SCCs, as a result of the Schrems II judgment, they still need to verify whether these appropriate safeguards are effective in view of the privacy legislation in the third country concerned (and take additional measures if the appropriate safeguards prove to be ineffective). The European Data Protection Board updated its Recommendations No. 01/2020 on 18 June 2021, providing additional clarification, in particular, to guide the assessment of the third-country legislation (data transfer impact analysis):
If the relevant legislation is problematic, but you have no reason to believe that it will be applied in practice, then you may decide to proceed with the data transfer without taking supplementary measures. The assessment that the legislation is not applied in practice should then be documented in a detailed report in which you have to explain, among other things, the internal procedure to produce the assessment (e.g., involvement of lawyers or other consultants). This report should be endorsed by the company’s legal representative.
Finally, the EDPB emphasises that the exceptions under Article 49 GDPR (including transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject) can only be applied on an occasional basis and can therefore not be used to escape the obligation to carry out an assessment of the legislation in the third country.