Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.
The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.
Background – What are SCCs and Why are they Needed?
The SCCs are several clauses that form a standardized agreement issued by the European Commission and a heavily relied on tool when transferring personal data outside the European Economic Area (EEA) to countries the Commission determines lack adequate data protection laws (“Third Countries”), such as the United States. Article 46 of Europe’s General Data Protection Regulation (GDPR) outlines the circumstances in which a data controller may transfer data to Third Countries. Under Article 46, U.S. companies and entities in other Third Countries seeking to access or view personal data of a European resident require an appropriate data transfer mechanism, like the SCCs, Binding Corporate Rules (BCRs) or the Department of Commerce’s Data Privacy Framework (DPF), to lawfully transfer EU residents’ personal information.
History of the EU’s Standard Contractual Clauses
Standard Contractual Clauses were first introduced under the EU’s Data Protection Directive enacted in 1995[1], the GDPR’s predecessor. Under the Data Protection Directive, three sets of SCCs were issued in 2001, 2004 and 2010 (collectively, the Old Clauses).
The 2025 Clauses would be the second iteration of transfer clauses within five years, marking a major change, since it had been over a decade since the Commission last updated the model clauses before enacting the current SCCs in 2021.
- 2001 – First iteration of SCCs adopted by the Commission with Decision 2001/497/EC. These clauses were designed for data transfers between EU-based data controllers to non-EU controllers. Under this version of SCCs, both parties were jointly and severally liable for the data protection obligations.
- 2004 – Decision 2004/915/EC marked the second iteration of the SCCs adopted by the Commission which amended the 2001 clauses to provide more flexibility for data transfers. Like the 2001 Clauses, these 2004 Clauses were designed to permit the lawful transfer of personal data between EU-based data controllers and non-EU controllers.
- 2010 – Decision 2010/87/EU was significant because it established the first set of clauses between data controllers and processors. These 2010 clauses allowed the lawful export of EU personal data between EU-based data controllers and non-EU processors.
- June 4, 2021 – The Commission adopts the current SCCs (Decision 2021/914/EU). Companies were given a three-month grace window to continue to use the Old Clauses and beginning on September 27, 2021, contracting companies were only permitted to enter into the 2021 clauses. The Commission also provided a 15-month transition window in which existing contracts (entered on or before September 27, 2021) relying on the Old Clauses could be relied on until December 27, 2022. The 2021 clauses are unique in that they apply a modular approach addressing a variety of processing relationships (i.e., (i) controller-to-controller data transfers like the 2001 and 2004 clauses, (ii) controller-to-processor transfers like the 2010 clauses and two other modules for (iii) processor-to-processor transfers and (iv) processor-to-controller transfers).
- June 7, 2021– Current SCCs became effective.
- December 27, 2022 – Last day the Old Clauses could be relied on, all agreements needed to use 2021 SCCs for lawful data transfers.
- Q4 2024 – Public Consult for current 2021 SCCs begins.
- Q2 2025 – Updated 2025 Clauses are set to be adopted by the Commission.
Why are the Current SCCs being Updated?
Following the adoption of the 2021 SCCs, many entities seeking to comply with the clauses and their modular approach had questions about gaps in the SCCs that the European Data Protection Board (EDPB) outlined in its 2023 Guidance (Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR). The EDPB specifically discussed that while the SCCs’ modular approach addressed different types of data transfer combinations between data exporter entities in the EU and importer entities in Third Countries, nuances about the processing or the relationship between the exporter/importer were missing. The EDPB outlined 12 different examples in which the use of SCCs was either not required or unclear, but the risk to EU residents’ personal data was still present. For example, the EDPB stated neither the GDPR nor the current SCCs discussed or required transfer procedures for entities in Third Countries collecting personal data directly from EU residents and sending that data to data processors in Third Countries or entities located in Third Countries already subject to the GDPR. The SCCs also did not contemplate remote access to data in the EU by a Third Country processor acting on behalf of an EU controller. Most companies took a risk-averse approach and enacted the SCCs whenever possible, but we anticipate the 2025 Clauses will address the gaps the EDPB pointed out and better outline when SCCs are required.
What’s Next?
Taft will continue to monitor the Commission’s activity related to the SCCs in the coming weeks and updates on the opening and closing of the public comment period. In the meantime, US entities already subject to the GDPR would be wise to take a belt and suspenders approach to international transfers by executing SCCs or BCRs with its EU counterparts until the SCCs are updated. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.
[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.