When the EU’s General Data Protection Regulation (GDPR) was introduced in 2018, businesses had to make significant changes to the way that they collected, used and transferred personal data. The requirements around data transfers have undergone a series of legal challenges, most recently with the invalidation of the Privacy Shield regime as a result of the Schrems II decision. The standard contractual clauses (SCCs) remained the only option for many businesses to compliantly transfer personal data outside the EEA, and Schrems II meant that these had to be bolstered with additional measures and processes.

In June this year, the European Commission released the final Implementing Decision on standard contractual clauses (New SCCs). Thankfully, the New SCCs address some of the issues with the previous SCCs, but they should in no way be seen as an easy fix. 

What exactly are the New SCCs?

The New SCCs are one of a number of ‘appropriate safeguards’ that can be used for the transfer of personal data from the EU to ‘third countries’ (ie, countries outside the EU) which have not been deemed ‘adequate’ by the European Commission. They are the preferred data transfer mechanism of many businesses, in particular for transfers to parties outside the corporate group.  Key changes introduced by the New SCCs include:

• taking a modular approach to a wider range of data transfer scenarios
• bringing the previous outdated SCCs into line with the GDPR, and
• addressing a number of concerns raised by Schrems II.

After a transition period, use of the previous SCCs will no longer be valid. 

What does this mean for your business?

Organisations now must use the New SCCs for new or updated data transfers and have until 27 December 2022 to migrate any existing EU SCC arrangements to the New SCCs. This is relevant to any data exporters currently using the previous clauses or who will consider transferring personal data from the EU in the future or who are making material changes to existing contracts.

As with any new regulatory change, the sooner the businesses get to grips with this latest regulatory conundrum, the better. Indeed, it is expected that most organisations now have a mammoth task of reviewing and updating hundreds- if not thousands- of contracts to implement the New SCCs where required.

To add to the complexity:

• the UK is currently also consulting on their own version of the New SCCs
• EU guidance has been released for consultation this month on data transfers that do not qualify as an international data transfer that would require the use of New SCCs (or alternative appropriate safeguards), and
• it may still be necessary to carry out transfer impact assessments (TIAs) and to implement additional safeguards in relation to transfers to high-risk countries.

Without the right support, this has the potential to be a huge drain on resource and time for legal, compliance and procurement teams and also risks distracting them from strategic business priorities.

What can I do about it?

Combining legal knowledge, best-in-class technology and process expertise, Deloitte are assisting businesses facing large-scale document review and remediation in light of the changes to the SCCs. Our use of cutting-edge technology such as AI enables us to perform rapid, thorough reviews of entire document sets, helping us to gain a quick understanding of your obligations.

Our research indicates that the key to a successful SCC repapering project is multifaceted engagement across the organisation (privacy, legal, IT, procurement), with execution time being 1.5x faster when the client works in conjunction with their supplier rather than in isolation.

At Deloitte, we become part of your legal ecosystem of third parties and stakeholders to build solutions tailored to your complex business needs. Our lawyers use their deep in-house expertise and knowledge of your business to ascertain the impact of regulatory change on your organisation, leaning on our global network of Deloitte Legal professionals to recommend appropriate responses and, if desired, implement these recommendations to support effective compliance with the SCC overhaul and on other data transfer-related issues.

At Deloitte, we understand that legal, compliance and procurement departments are already busy enough dealing with key business priorities.  Let us help you address your compliance obligations with minimum disruption and cost with a multi-disciplinary solution incorporating legal advice, technology and risk and compliance expertise, so that you can get on with the day job.

Interested in finding out more about how Deloitte Legal can assist with your day-to-day from SCC compliance through to contracting, IP compliance and entity management? Get in touch today!