New EU CCPs for international data transfers now published | Bryan Cave Leighton Paisner
The European Commission adopted revised standard contractual clauses for international transfers (the “new CSCs“) on Friday, June 4, 2021. The new CCPs incorporate a number of additional provisions intended to strengthen the level of protection of personal data transferred to” third countries “, such as the United States, which have not been recognized by the European Commission as offering “adequate” protection.
The adoption of the revised CCPs follows that of the Court of Justice of the European Union (“CJEU“) ruling in the Schrems II judgment (Case c-311/18) which invalidated the EU-US Privacy Shield mechanism and determined that SCC-based transfers could continue provided that a level of protection of the personal data transferred was “substantially equivalent” to that provided by the General Data Protection Regulation (2016/679) (“GDPR”) Could be guaranteed (additional recommendations to comply with Schrems II available here).
The Commission notes that the new CSCs offer the following main innovations:
- A single entry point covering a wide range of transfer scenarios (i.e. a composite approach), instead of separate sets of clauses;
- More flexibility for complex processing chains, by a “modular approach” and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox comply with the Schrems II judgment; ie an overview of the different steps companies need to take to comply with Schrems II as well as examples of “additional measures”, such as encryption, that companies can take if necessary; and
- For data controllers and processors who are currently using previous sets of standard contractual clauses, a transition period of 18 months is foreseen (noting that the new standard contractual clauses should be used for new transfers once they have entered into force).
The new CCPs will be published in the Official Journal of the European Union in the coming days and will enter into force after 20 days. At the same time – and with less fanfare – a set of standard data processing clauses (i.e. controller / processor clauses without international transfer) will also be published.
We will follow this update with our analysis of the new CCNs and the impact for companies looking to rely on them.