On 4 June 2021, the European Commission adopted two new sets of Standard Contractual Clauses (“2021 SCCs”). The 2021 SCC’s will replace the old SCC’s adopted in 2010.  The adoption of new SCC’s is to reflect the changes to European Union (“EU”) data privacy law, under the General Data Protection Regulation 2016/679 (“GDPR“) and the Schrems II decision[1]Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems., which invalidated the EU-U.S. Privacy Shield. 

What are SCC’s?

Under the GDPR, personal data may be transferred to a recipient outside of the European Economic Area (“EEA”) if there is an adequacy decision whose data protection laws are deemed adequate by the European Commission.  Currently, there are only a handful of countries that has received adequacy decisions.  Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom and Uruguay are considered to provide an adequate level of protection.  In the absence of an adequacy decision, the use of the SCC’s are one of several mechanisms that organisations may use to lawfully transfer personal data to a country that does not provide adequate protection.  

The SCC’s are essentially an agreement between a data exporter (usually an EEA company sending personal data outside the EEA) and a data importer (usually a non-EEA company receiving personal data), ensuring that data transfers meet the basic requirements of the GDPR and that appropriate safeguards are in place. They are unalterable and cannot be changed in any way, but only expanded on.   

The New EU SCC’s 

As from 27 September 2021, data exporters will be required to use the new SCC’s for new contracts.  With regard to existing contracts, the new SCC’s will need to be replaced by 27 December 2022.  

Some key features of the new SCC’s include: 

  • updated obligations for data importers in line with the GDPR; 
  • expanded role players, which makes provisions for transfers from not only controller to controller or controller to processor but also processor to processor and processor to controller transfers; 
  • the new SCC’s make provision for transfer by a non-EEA established data exporter to a data importer also not based in the EEA; 
  • a consolidated set of SCC’s written as one agreement, opposed to the separate SCC’s; and 
  • requirement to conduct transfer impact assessments under certain circumstances.

The Impact on South African Business 

Organisations currently doing business with EU entities should be aware that, in the near future, they may need to enter into the new SCC’s.  Any new agreements which contemplate new data transfers will need to be entered into under the new SCC’s.  Given the new obligations in the SCC’s, South African business will need to analyse the new SCC’s to ensure that it is aware of, and able to comply with the enhanced obligations. 

PPM Attorneys is able to assist your organisation with navigating the new requirements of the SCC’s and provide practical assistance. 

References

References
1 Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.