The European Commission has recently published a proposed replacement for the standard contractual clauses (SCCs) that are used by businesses when transferring personal data outside of the European Union. The current SCCs have been in place since 2010, and in light of recent developments such as the Schrems II decision, they are no longer considered to provide adequate protection for individuals’ data rights.

The proposed replacement clauses are intended to provide stronger and more flexible safeguards for personal data transfer, and they reflect the GDPR’s requirements for data protection. The new SCCs also take into account the Schrems II decision, which invalidated the EU-US Privacy Shield framework and called into question the adequacy of SCCs as a means of data transfer.

The updated SCCs introduce more detailed requirements for businesses when transferring personal data, including the need to conduct assessments of the data importer’s legal system and practices, and the ability to put in place additional measures to ensure data protection. The proposed SCCs also include provisions that address the use of subcontractors, the right of data subjects to enforce their rights, and the data importer’s obligation to cooperate with the data protection authorities.

Businesses are encouraged to review their current data transfer agreements in light of the proposed replacement SCCs, as they will need to ensure that their agreements comply with the new requirements once they become effective. It is expected that the new SCCs will come into effect in early 2022.

In addition to the proposed replacement SCCs, the European Commission has also proposed a new set of SCCs for use by processors, which are entities that process personal data on behalf of data controllers. This should simplify the process of data transfers between controllers and processors and provide greater legal certainty for both parties.

Overall, the release of the proposed replacement SCCs is a positive step towards strengthening data protection and ensuring that businesses are held accountable for the transfer of personal data outside of the EU. By adhering to the new requirements, businesses can ensure that they are complying with the GDPR, protecting the privacy rights of individuals, and avoiding potential legal consequences.