This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Asset 3
  • About
  • People
  • Capabilities
  • Insights
  • Careers
  • Public Interest
  • Inclusion
  • Contact us
    Contact us
  • Locations
    Locations
  • Search
    Search
  • About
    • About
    • Message From the CEO
    • Firm History
    • Alumni
    • Alumni
    • In Memoriam
  • People
  • Capabilities
    • Practices
    • Industries
    • Global Reach: The Law Firm Network
    • Bankruptcy & Restructuring
    • Brand & Reputation Management
    • Intellectual Property
    • Litigation & Dispute Resolution
    • Special Situations, Distressed Debt and Debt Trading
    • Transactions
    • Tax
    • White Collar Defense, Investigations & Compliance
    • Energy & Environmental
    • Entertainment & Media
    • Investment Management 
    • Life Sciences
    • Technology
    • Real Estate
    • Bankruptcy & Restructuring
    • Bankruptcy Litigation
    • Mass Torts Bankruptcy
    • Intellectual Property
    • Intellectual Property Litigation
    • Patents
    • Trademark, Copyright & Advertising
    • Patent Trial and Appeals Board (PTAB)
    • Litigation & Dispute Resolution
    • Civil Fraud Litigation
    • Employment Practices and Litigation
    • Government Contracts Litigation
    • Intellectual Property Litigation
    • Insurance Recovery
    • Litigation Funding
    • M&A and Private Equity Litigation
    • Real Estate Litigation
    • Patent Trial and Appeals Board (PTAB)
    • UK Tax Controversy & Litigation
    • Special Situations, Distressed Debt and Debt Trading
    • Distressed Debt & Claims Trading
    • Litigation Funding
    • Finance
    • Real Estate Special Situations
    • Transactions
    • Capital Markets
    • Cross-Border Transactions
    • Emerging Growth Companies & Venture Capital
    • Employment
    • Finance
    • Franchising
    • Mergers & Acquisitions
    • Tax
    • White Collar Defense, Investigations & Compliance
    • Economic Sanctions & Export Controls
    • Energy & Environmental
    • Energy
    • Energy Transition
    • Environmental
    • Entertainment & Media
    • Brand & Reputation Management
    • Intellectual Property
    • Sports
    • Investment Management
    • Fund Formation
    • Private Equity Transactions
    • Distressed Debt
    • Emerging Growth Companies & Venture Capital
    • Family-Owned & Closely Held Businesses
    • Private Equity Litigation
    • Life Sciences
    • BR BioAdvisory Services
    • Technology
    • Artificial Intelligence
    • Cybersecurity & Data Privacy
    • Digital Commerce
    • Fintech
    • Real Estate
    • Hospitality & Leisure
    • Distressed Real Estate
    • Real Estate Special Situations
    • Real Estate Litigation
    • Wireless Network Infrastructure
  • Insights
    • Client News
    • Firm News
    • Briefings
    • Events
  • Careers
    • Experienced Lawyers
    • U.S. Law Students
    • London Trainee Program
    • Business Professionals
    • Professional Development
  • Public Interest
    • Brown Rudnick Charitable Foundation
    • Pro Bono & Community Service
  • Inclusion
    • Inclusion
    • Women in Business Series
  • Contact Us
  • Location
  • Search
  • About
    • About
    • Message From the CEO
    • Firm History
    • Alumni
    • Alumni
    • In Memoriam
  • People
  • Capabilities
    • Practices
    • Industries
    • Global Reach: The Law Firm Network
    • Bankruptcy & Restructuring
    • Brand & Reputation Management
    • Intellectual Property
    • Litigation & Dispute Resolution
    • Special Situations, Distressed Debt and Debt Trading
    • Transactions
    • Tax
    • White Collar Defense, Investigations & Compliance
    • Energy & Environmental
    • Entertainment & Media
    • Investment Management 
    • Life Sciences
    • Technology
    • Real Estate
    • Bankruptcy & Restructuring
    • Bankruptcy Litigation
    • Mass Torts Bankruptcy
    • Intellectual Property
    • Intellectual Property Litigation
    • Patents
    • Trademark, Copyright & Advertising
    • Patent Trial and Appeals Board (PTAB)
    • Litigation & Dispute Resolution
    • Civil Fraud Litigation
    • Employment Practices and Litigation
    • Government Contracts Litigation
    • Intellectual Property Litigation
    • Insurance Recovery
    • Litigation Funding
    • M&A and Private Equity Litigation
    • Real Estate Litigation
    • Patent Trial and Appeals Board (PTAB)
    • UK Tax Controversy & Litigation
    • Special Situations, Distressed Debt and Debt Trading
    • Distressed Debt & Claims Trading
    • Litigation Funding
    • Finance
    • Real Estate Special Situations
    • Transactions
    • Capital Markets
    • Cross-Border Transactions
    • Emerging Growth Companies & Venture Capital
    • Employment
    • Finance
    • Franchising
    • Mergers & Acquisitions
    • Tax
    • White Collar Defense, Investigations & Compliance
    • Economic Sanctions & Export Controls
    • Energy & Environmental
    • Energy
    • Energy Transition
    • Environmental
    • Entertainment & Media
    • Brand & Reputation Management
    • Intellectual Property
    • Sports
    • Investment Management
    • Fund Formation
    • Private Equity Transactions
    • Distressed Debt
    • Emerging Growth Companies & Venture Capital
    • Family-Owned & Closely Held Businesses
    • Private Equity Litigation
    • Life Sciences
    • BR BioAdvisory Services
    • Technology
    • Artificial Intelligence
    • Cybersecurity & Data Privacy
    • Digital Commerce
    • Fintech
    • Real Estate
    • Hospitality & Leisure
    • Distressed Real Estate
    • Real Estate Special Situations
    • Real Estate Litigation
    • Wireless Network Infrastructure
  • Insights
    • Client News
    • Firm News
    • Briefings
    • Events
  • Careers
    • Experienced Lawyers
    • U.S. Law Students
    • London Trainee Program
    • Business Professionals
    • Professional Development
  • Public Interest
    • Brown Rudnick Charitable Foundation
    • Pro Bono & Community Service
  • Inclusion
    • Inclusion
    • Women in Business Series

Search People

Search by last name

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z

see all people

Asset 3
  • LinkedIn
  • X (formerly known as Twitter)
  • Instagram
  • YouTube
  • Contact Us
  • Terms of Use
  • Privacy
  • Sitemap
  • LinkedIn
  • X (formerly known as Twitter)
  • Instagram
  • YouTube

© 2024 Brown Rudnick LLP. Attorney advertising.

All Rights Reserved.

All Posts Subscribe
print-logo
6/14/2021 4:28:00 PM | 5 minute read

European Commission Publishes New Standard Contractual Clauses

Get in touch

Avatar
Brown Rudnick

Get in touch

Avatar
Brown Rudnick

The EC has issued new Standard Contractual Clauses (“SCCs”) under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) for data transfers from controllers or processors whose processing is subject to GDPR (whether resident in the EU/EEA or not) to controllers or processors established outside the EU/EEA.

Summary

The new SCCs:

  • replace the three sets of SCCs which were adopted under the now replaced Data Protection Directive 95/46.
  • have been pre-approved by the European Commission.
  • come into force on 27 June 2021.
  • include obligations more closely align with the requirements of the GDPR than those under the old SCCs which were related to the Data Protection Directive 95/46.
  • can be used as a basis for data transfers from the EU to third countries.
  • combines general clauses with modular options for various transfer scenarios – thus giving much greater flexibility than the old SCCs.
  • contain 26 recitals explaining how exporters and importers should use them.
  • can form part of a wider contract with other clauses or safeguards added, provided these do not contradict the SCCs “or prejudice the fundamental rights or freedoms of data subjects”.
  • have been prepared after consultation with the European Data Protection Supervisor and the European Data Protection Board which gave a joint opinion on 14 January 2021 on this matter (the “Joint Opinion”).

Main Changes

Whilst the obligations imposed under the new SCCs are far more onerous than those in the old SCCs, the combination of general clauses with modular options helps to improve their flexibility and enables them to address various transfer scenarios which were not previously covered. The old SCCs covered only two types of transfer: controller to controller, and controller to processor. This meant that other common types of data flow were not covered – processor to (sub-)processor in particular. The new SCCs now deal with all the data flows:

  • Module 1: controller to controller
  • Module 2: controller to processor
  • Module 3: processor to processor
  • Module 4: processor to controller

Further changes include Clause 15, which importantly provides steps for an importer to take when subject to a request for disclosure from a public authority and Clause 14, which sets out the factors which can be considered to carry out an assessment of a third country’s legal framework – this will be particularly important for companies seeking to export data to the U.S. (on which there is currently considerable focus with the Facebook litigation in Ireland) and to countries like Russia and China (in respect of which, perhaps oddly, there seems to be less overt concern in the EU but for which focus is increasing – e.g. with investigations into Tik Tok’s data processing).

Clause 7 is an optional “Docking Clause”, an addition which did not exist in the old SCCs. This clause enables a third party to agree to adhere to the new SCCs at any point in time – which is useful for intra-group data flows as it allows new companies to adhere to them on joining the group of companies. This was previously typically dealt with by the use of a Deed of Adherence to the old SCCs, but this express option removes any question over the legality of that mechanism.

Scope

The EC’s decision document, to which the SCCs are annexed, states that the new SCCs may be used for transfers to a processor or controller based outside the EU “only to the extent that the processing by the importer does not fall within the scope of" GDPR. This suggests that the new SCCs cannot be used to legitimise transfers of personal data to a data importer who is outside the EEA, where the importer’s processing of the personal data is subject to the extra-territorial jurisdiction of GDPR including because the importer is providing goods or services to, or monitoring, EU citizens. It is not entirely clear, therefore, how transfers to such importers are to be legitimised if not via the use of the SCCs. The EDPB is intending to confront this issue in an upcoming opinion.

Note that as post-Brexit UK data protection legislation only refers to the SCCs approved as at 31 December 2020, the new SCCs also do not cover transfers to which the UK GDPR applies. The UK ICO intends to consult on and publish UK SCCs during 2021.

Practical considerations

The new clauses are a significant update, particularly in the light of the Schrems II decision which invalidated the EU-U.S. Privacy Shield. Following this decision, they have played a more substantial role as a potentially appropriate safeguard for transferring personal data from the EEA to recipients in the U.S. and other countries without an EU Adequacy Decision (which may include the UK if an adequacy decision is not made in favour of the UK). See here for our recent updates on this issue.

Accountability

Parties will be required to be able to demonstrate compliance with the new SCCs. Specifically, the data importer must:

  • keep appropriate documentation of its processing activities, which it should disclose to the competent supervisory authority on request; and
  • inform the data exporter promptly if it is unable to comply with the SCCs.

In the event that the data importer is in breach of or is unable to comply with the SSCs, the data exporter should suspend any further data transfer or terminate the contract. Further, the new SCCs include a warranty at Clause 8 from the data exporter (enforceable also by the data subjects involved) that it has used “reasonable efforts” to determine the data importer is able to comply with the SCCs.

Liability

The liability provisions reflect those under the GDPR, so that each party is liable to the other party for any damages it causes the other party by breaching the new SCCs and in different situations either or both parties may be liable to the data subjects whose data is being transferred. This is for any material or non-material damages, and where more than one party is at fault, the parties shall be joint and severally liable. As SCCs are often entered into as part of a wider scheme of arrangement, the parties will need to tailor the commercial liability terms of such arrangements to ensure they do not conflict with the liability provisions under the new SCCs – although, it is clear that the SCCs will take precedence over the commercial terms.

Transition period

The new SCCs come into force on 27 June 2021 (i.e. 20 days following their publication in the EU’s Official Journal on 7 June 2021); the old SCCs will not be able to be used three months after this date. SCCs existing on that date can be relied on for a further 15 months following this date. This is effectively a transition period of 18 months, but practically speaking, companies entering into new contracts should start to consider using the new SCCs as soon as possible; they will have to use them once the old SCCs have been repealed.

Next steps

Companies will need to determine which of the ‘Modules’ in the new system applies to their data exports. They will then need to determine how they can satisfy themselves in an accountable fashion that the third country’s data protection framework will not undermine the protections afforded to the data subjects by GDPR and whether and how they and the data importers will be able to comply with contractual obligations in the new SCCs.

Click to view the full alert.

Sign up to receive our latest BRiefings delivered directly to your inbox. Subscribe

Get in touch

Avatar
Brown Rudnick

Get in touch

Avatar
Brown Rudnick
Walters v. OpenAI: A Game-Changing Verdict Reshaping AI, Defamation and Tech's Future
5/27/2025 9:16:20 PM

Walters v. OpenAI: A Game-Changing Verdict Reshaping AI, Defamation and Tech's Future

By Erick Robinson
In a decision that could reshape the legal and technological landscape, the Superior Court of Gwinnett County, Georgia, issued a ruling...
5
5
10

Latest Insights

In the Financial Times, Partner Matthew Sharp discusses UK Renewable Transport Fuel Obligation (RTFO) compliance
5/30/2025 8:28:25 AM

In the Financial Times, Partner Matthew Sharp discusses UK Renewable Transport Fuel Obligation (RTFO) compliance

By Matthew Sharp
German Court Allows Meta to Use Public Data for AI Training: Implications for Europe’s AI Landscape
5/27/2025 3:16:48 PM

German Court Allows Meta to Use Public Data for AI Training: Implications for Europe’s AI Landscape

By Erick Robinson
4
4
NY Court of Appeals Applies Internal-Affairs Doctrine to Standing in Derivative Actions on Behalf of Foreign Corporations
5/21/2025 8:19:59 PM

NY Court of Appeals Applies Internal-Affairs Doctrine to Standing in Derivative Actions on Behalf of Foreign Corporations

By Jonathan Richman
1
26
27