Since the Schrems II decision in July 2020, there has been great legal uncertainty regarding data transfers to recipients in third countries outside the EEA, in particular to the USA. This uncertainty is also fueled by the numerous proceedings initiated by noyb. Therefore, the new Standard Contractual Clauses which were already announced at the end of last year, were longingly awaited. They are supposed to ensure appropriate safeguards according to Art 46 GDPR, in order to permit transfers to such third countries. The wait is now over: the EU Commission published the final version of the standard contractual clauses (SCC) on Friday, June 4. Compared to the preliminary draft from November 2020, which we have summarized for you here, little has changed in terms of content. The modular structure, the long-overdue mapping with the GDPR (instead of relying on the Data Protection Directive) and extensions of the obligations of both parties lead to a higher level of protection compared to the previously widely used SCCs. Our DORDA data protection experts have compiled the most important changes to the final draft 2020 for you:
Hard facts - what has changed?
Even the conclusion of the new standard contractual clauses alone is no guarantee for a secure third country data transfer in the future. In this respect, the EU Commission has therefore followed the strict approach of the European Data Protection Board (EDPB). In practice, this means that risk assessment and case-by-case evaluation will continue to accompany us. In addition to any additional contractual assurances that may be required, the accompanying technical measures listed as examples in Annex II, such as encryption mechanisms, will be of central importance in securing legally compliant data transfer.
In any case, the new SCCs that have now been issued mean that there is an urgent need for action, and hopefully they will also put an end to the shock paralysis or waiting mode that has occurred in some cases among US providers. It is now clear what is necessary for a lawful data transfer and how the previous legal bases must be adapted. The transition period for existing agreements is, on the one hand, generous, but on the other hand, there is a very timely and urgent need for adjustments for new agreements.