Re-papering clock continues to tick, as new EU SCCs come into force today

The new EU standard contractual clauses (New EU SCCs) came into force today for the transfer of personal data from the EEA to third countries under the EU General Data Protection Regulation (EU 2016/679) (EU GDPR).

The European Commission Implementing Decisions ((2001/497/EC) and (2010/87/EU)) which incorporated the previous standard contractual clauses (Old EU SCCs), were also repealed today.

The New EU SCCs have been updated to take account of the EU GDPR coming into force, seek to deal with the practicalities currently faced by organisations and provide greater flexibility for more complicated processing supply chains (by implementing a "modular" approach). The New EU SCCs also take into account the ECJ's judgment in Schrems II, providing a way to assist organisations in complying with the judgment and including examples of 'supplementary measures' to further protect personal data being sent to countries which don't otherwise provide adequate protection.

For a full background plus our analysis of the New EU SCCs and related practical implications, please refer to our previous blog post here.

From today, key points to note:

New agreements (entered into on or after 27 September 2021)

• New EU SCCs must be used for any new agreements entered into that rely on model EU data transfer clauses to legitimise the transfer of personal data from the EEA to third countries under the EU GDPR.

• Old EU SCCs cannot be used as a valid transfer mechanism for new agreements entered into that rely on model EU data transfer clauses to legitimise the transfer of personal data from the EEA to third countries under the EU GDPR.

Existing Agreements (entered into before 27 September 2021)

• Existing Agreements incorporating Old EU SCCs remain valid and provide appropriate safeguards until 27 December 2022.
• Organisations therefore have 15 months to "re-paper" agreements relying on the old EU SCCs and replace them with the new EU SCCs.
• This is provided that the processing operations that are the subject matter of the agreement remain unchanged and subject to appropriate safeguards – any such change can trigger an earlier "re-papering" deadline at the date of the change if the parties still wish to rely on model EU data transfer clauses.

Today's milestone will no doubt focus the minds of data exporters and importers on the large task ahead of updating their international data transfer agreements accordingly.

Of course, for multi-national organisations with a footprint that covers both the EEA and the UK, compliance teams will also need to factor in the UK's finalised approach to international data transfer agreements in due course; with the UK ICO’s consultation running in parallel regarding its own draft international data transfer agreement (to address transfers of personal data from the UK to third countries), a UK addendum for inclusion to the New EU SCCs and an international transfer risk assessment guidance note and tool.