Here We Go Again ' The Odyssey Of International Data Transfer Challenges Continues

• Published date: 20 July 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: Schoenherr Attorneys at Law
• Author: Ms Veronika Wolfbauer and Florian Terharen

On 4 June 2021, the European Commission ("Commission") issued new standard contractual clauses ("SCCs")¹ pursuant to the GDPR² for the transfer of personal data to third countries. After a transitional period of 15 months, ie at the latest by the end of 2022, all currently concluded SCCs must be superseded by the new SCCs.

Legal Background

According to Art. 44 GDPR every transfer of personal data to a third country (i.e. a country outside the EU) must meet the standards as set forth in Chapter V of the GDPR. The transfer including any onward data transfer is only allowed if "adequate" safeguards for personal data are in place in the data recipient's country. In practice, this adequate level of data protection is often met with SCCs. Standard Contractual Clauses are a standardized contract with provisions that govern the proper handling of personal data of natural persons. The current versions of the SCCs were issued by the European Commission in the years 2001³ and 2010⁴ ("the old SCCs").

As a consequence of the CJEUs "Schrems II" ruling⁵ the "old" SCCs needed to be amended. In brief, the CJEU declared the SCCs to be valid in principle but require additional effective safeguards to ensure that the required level of protection is met in practice. The CJEU extended the review obligations for companies (and data protection authorities likewise). In particular, the CJEU demands that companies check the required level of data protection before transferring data (based on all circumstances of the individual case).

At the beginning of June, the European Commission issued a revised version of the SCC ("the new SCCs") which became effective as of June 27, 2021.

New obligations, more legal certainty

To reflect technological developments and the increase in cross-border data flows, the new SCCs not only include more obligations for the "data exporter" (i.e. the EU-entity transferring data to a third country) but also for its counterpart, the "data importer".

The new SCCs contain a modular approach that aims to depict all possible processing scenarios in only one document:

• Module 1: Controller to controller;
• Module 2: Controller to processor;
• Module 3: Processor to processor;
• Module 4: Processor to controller.

These modules enable data exporters and importers to select the clauses that are relevant to the type of data transfer they engage in (processor-to-processor and processor-to-controller transfers, in addition to controller-to-controller and...