Tips to Comply with the New SCCs if you have EU customers

The European Commission (EC) recently issued its revised standard contractual clauses for data transfers to third countries. The Commission published two sets of new SCCs. The first set replaces the old SCCs for cross-border data transfers to third countries. The second set is for use between controllers and processors.

These contractual clauses can be the basis for data transfers from controllers or processors in the EU/EEA to controllers or processors outside the EU/EEA (not subject to the GDPR) and will hopefully bring uniformity to such relationships. The EC defines this new version as a way of providing better legal certainty for European businesses wanting to share data with third countries.

Service providers in the US and other third countries should expect EU customers to update their present data transfer agreements in compliance with the updated SCCs by December 2022. Complying with the new SCCs will require a significant amount of time and effort for implementation.

Below are some recommendations for service providers to consider when implementing the new SCCs with their EU customers.

1. Confirm the role of the data exporter and data importer

One of the biggest differences in the new SCCs is that the new SCCs adopt a modular approach. The implementation structure of the new SCCs includes four "modules" to encompass personal data transfers from a legal entity within the EU to that in a third country. The role of the data exporter and data importer determines which module to be followed for the different cross-border data transfer scenarios. The service provider should understand their role and their EU customers' role to identify the most appropriate module for their agreement. With the updated SCCs, it is possible for more than two parties to adhere to contract terms. This more complex contractual "eco-system" was not contemplated by the old SCCs.

2. Be prepared to handle new data subject rights

The old SCCs allowed data subjects to enforce third-party beneficiary clauses only against the data importer or the sub-processor. However, the new SCCs give data subjects the ability to enforce provisions against data exporters and also significantly extend the obligations for importers. Adopting and complying with the new SCCs may require considerable effort for these importers. Some of the obligations include privacy notices, notification of breaches, maintaining records of processing activities,