Blog Post

How to Navigate the New Standard Contractual Clauses with the Help of Artificial Intelligence

By Adam Roughley, Data Protection Lead

Sep 28, 2021

By now, most privacy professionals are aware that the European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, 2021.  The new SCCs were developed and adopted as a result of two significant events in the data protection world: the passage of the General Data Protection Regulation (GDPR) in 2018, and the Court of Justice in the European Union’s (CJEU) ruling in the “Schrems II” case, which invalidated the EU-US Privacy Shield data transfer framework.

What are SCCs and why are they important?

Under the GDPR, EU personal data may only be transferred to another country (or, once transferred, onward to a third country) if one of several requirements are met.  In practice, this means that personal data is usually transferred either to a country designated by the European Commission as providing an “adequate” level of data protection, or via the use of “appropriate safeguards”, namely, SCCs or Binding Corporate Rules (BCRs).  Since BCRs may only be used after completing a lengthy approval process with a European regulator, they are mostly used by very large, multinational companies.  That leaves SCCs as the most commonly used mechanism to transfer data out of the EU to countries without “adequate” protections in place, including the United States, Australia, (and as of the date of this writing), the United Kingdom.  

The first SCCs for controller-to-controller transfers were adopted in 2001 (and amended in 2004) and the first SCCs for controller-to-processor transfers were adopted in 2002 (and later amended in 2010). However, both sets of SCCs were issued in a pre-GDPR era, and lacked many of the protections and processing standards required by the GDPR. The “new” SCCs allow the old SCCs to be used for new data transfers until the end of September, and for existing data transfers until the end of 2022.  That means, of course, that organizations must make sure their current and future data transfers that rely on SCCs are based on the new SCCs by December 31, 2022.  For many organizations, that means they are about to (or have already begun) the tedious, manual process of reviewing and renegotiating the vast majority of their Data Processing Agreements in place with their customers and vendors.

Read on to see how the Relyance AI Platform can evaluate your entire contracts inventory instantaneously and automatically direct you to each contract that needs to be updated with the new SCCs...

What Changed?

Four key ways the new SCCs differ from the two legacy SCCs:

Modular design

The old SCCs only accounted for two types of data transfers: controller-to-controller, and controller-to-processor, which left processors needing to export data out of the EU stuck without a compliant transfer mechanism. The new SCCs are modular by design, as they include terms that apply to any of the four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

Docking clause

The old SCCs only accounted for a relationship between two parties: a data exporter and a data importer.  The new SCCs allow for additional parties to be added to an existing set of SCCs to account for large-scale intra- or extra-group data transfers among a number of individual organizations.

Geographic scope

The new SCCs recognize a reality that the old SCCs did not: that some organizations who are not established in the EU, but are still subject to the GDPR due to their processing operations, also need to be able to transfer data out of the EU.

Schrems II  

Following the Schrems II decision, which highlighted the difficulty in ensuring that personal data would be sufficiently protected in countries like the U.S. where local laws and government activity may present a privacy risk, the new SCCs require importers and exporters to undergo a risk assessment and warrant that the importer’s local laws will not stop it from complying with the requirements of the SCCs.

How will Relyance AI help me manage the new SCC Requirements?

The Relyance AI Platform will help you navigate this difficult transition to the new SCCs.  Through the use of Artificial Intelligence and Machine Learning, our Platform will analyze all of your contracts and identify which of them rely on the old SCCs for international data transfers and need to be updated.  It will alert you to which of your contracts are relying on the old SCCs by raising an Intelligent Insight for each such contract.  This revolutionary technology will free your legal and compliance teams from having to spend countless hours reviewing your entire contract repository in order to comply with the SCC requirements, allowing them to spend time on other matters, like supporting the growth and development of your business.

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.


Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Blog Post

How to Navigate the New Standard Contractual Clauses with the Help of Artificial Intelligence

By Adam Roughley, Data Protection Lead

Sep 28, 2021

Get the whitepaper

Required field*