Data Protection Change Affects U.S. Companies in EU Business Matters

U.S. companies doing business with the European Union (EU) should take note of an important recent change made to the standard contractual clauses (SCCs). SCCs are pre-approved model data protection clauses that can be incorporated into contracts, providing an easy-to-use tool to comply with data protection requirements, namely the EU’s General Data Protection Regulation (GDPR). The GDPR was implemented (in relevant part) to safeguard personal data of EU citizens as that data is exported to the U.S.

The European Commission recently adopted a new, significantly upgraded set of SCCs. The new SCCs use a modular approach to account for different transfer scenarios: (1) controller to controller; (2) controller to processor; (3) processor to processor; and (4) processor to controller.

The new SCCs go into effect on June 27, 2021. There is, however, a three-month transition period within which the previous version of the SCCs may still be used for entering into new data transfers. In other words, relevant agreements currently being negotiated and which will be finalized within the next three months (before September 27, 2021) can use the previous version of the SCCs. Additionally, the previous SCCs can continue to be relied on in executed agreements until December 27, 2022; any agreement with a term that is beyond that date should be amended to include the new SCCs.

We Can Help.
If you have questions about how the changes detailed above might affect your business, please contact Maslon Attorney Eran Kahana.