New EU SCCs published: Time to sharpen up the plan

New EU Standard Contractual Clauses (SCCs) have been published by the European Commission, Friday 4th June 2021. The European Commission adopted two sets of SCCs: one for use between controllers and processors and one for the transfer of personal data to third countries. They reflect new requirements under the General Data Protection Regulation (GDPR), and take into account the Schrems II judgement of the EU Court of Justice.

Many companies use SCCs in order to transfer personal data from the EU to recipients outside the EU. For instance, they might use SCCs to transfer personal data to a supplier based in the US, to Corporate HQ in Australia or to a shared service centre in India.

SCCs are a widely used tool; many organisations will have a significant number of contracts containing the ‘old’ SCCs - ten years’ worth in fact. In line with the European Commission’s announcement, contracts containing the ‘old’ versions of the SCCs will now need to be re-papered; that is, switched to the new version, within 18 months.

The time-frame provides some space for organisations to ensure that they have invested in planning a considered approach to their contractual remediation programme. Although organisations will vary in their approach to remediation, there are a number of key elements which will feature on any SCC implementation programme, including the following:

• Understanding the SCCs: Although the Commission emphasised that their priority was to deploy user friendly tools, a number of innovations contained in the clauses would warrant a deep-dive. PwC will be publishing more detailed analysis in relation to these key areas, particularly in relation to complex (onward) transfers.
• Freezing the size of the problem: Although you can continue to use the ‘old’ SCCs for three months, it may make sense to move, as soon as possible, to the new SCCs in relation to new contractual relationships in order to ensure the ‘hole’ that needs to be fixed does not get bigger.
• Identifying current use of the SCCs: Contracts containing the old SCCs need to be identified and located. Some organisations may have already completed this step, with many using technology in order to identify the SCC provisions in their contract systems. Some organisations may have also undertaken an assessment to identify which of the versions (or ‘modules’) of the new SCCs they need to implement, depending on the roles of the parties. At this point, it may also make sense to take the opportunity to check and update the information contained in the schedules of the current SCCs (for instance, the types of personal data covered by the SCCs, and the security measures in place to protect the data, as these aspects may have developed since the SCCs were signed).
• Understanding gaps in coverage: In addition to identifying current use of SCCs, it is important that organisations identify the gaps; that is, those transfers which ought to have had SCCs in place, but did not. In terms of prioritising remediation activity, these transfers might be high up the list, in terms of risk.
• Considering the broader contractual framework: There’s an oft-repeated phrase in relation to SCCs: ''You can't amend the model clauses!'' However, you can add provisions to help ‘future-proof’ them and to support them to work effectively in the context of your organisation. For instance, organisations may layer provisions that allow for the addition and deletion of parties (helpful in an intra-group context), and additional measures to address Schrems II (or other developments). The caveat is that the additional provisions must not undermine the protections and rights of the Data Protection Authorities or Data Subjects.
• Building in the UK position: The new EU SCCs are not valid SCCs for making transfers from the UK. The UK ICO indicated that it intends to consult on and publish UK SCCs during the course of 2021, and this should be factored into the project planning.
• Prioritising and phasing execution of the new SCCs: Carefully prioritise the transfers that should be transitioned, considering the renewal dates of existing contracts.

For some organisations, the above will be straightforward. For others, it will be complex and time-consuming. PwC’s data protection team members include privacy lawyers, operational specialists and project managers. We can deploy a multi-disciplinary team to run your SCC remediation project, using technology and delivery centres to ensure we balance quality with cost considerations. Reach out to me or any of the team if you’d like to discuss further.