How to Navigate the New Standard Contractual Clauses with the Help of Artificial Intelligence
By Adam Roughley, Data Protection Lead
By Adam Roughley, Data Protection Lead
By now, most privacy professionals are aware that the European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, 2021. The new SCCs were developed and adopted as a result of two significant events in the data protection world: the passage of the General Data Protection Regulation (GDPR) in 2018, and the Court of Justice in the European Union’s (CJEU) ruling in the “Schrems II” case, which invalidated the EU-US Privacy Shield data transfer framework.
Under the GDPR, EU personal data may only be transferred to another country (or, once transferred, onward to a third country) if one of several requirements are met. In practice, this means that personal data is usually transferred either to a country designated by the European Commission as providing an “adequate” level of data protection, or via the use of “appropriate safeguards”, namely, SCCs or Binding Corporate Rules (BCRs). Since BCRs may only be used after completing a lengthy approval process with a European regulator, they are mostly used by very large, multinational companies. That leaves SCCs as the most commonly used mechanism to transfer data out of the EU to countries without “adequate” protections in place, including the United States, Australia, (and as of the date of this writing), the United Kingdom.
The first SCCs for controller-to-controller transfers were adopted in 2001 (and amended in 2004) and the first SCCs for controller-to-processor transfers were adopted in 2002 (and later amended in 2010). However, both sets of SCCs were issued in a pre-GDPR era, and lacked many of the protections and processing standards required by the GDPR. The “new” SCCs allow the old SCCs to be used for new data transfers until the end of September, and for existing data transfers until the end of 2022. That means, of course, that organizations must make sure their current and future data transfers that rely on SCCs are based on the new SCCs by December 31, 2022. For many organizations, that means they are about to (or have already begun) the tedious, manual process of reviewing and renegotiating the vast majority of their Data Processing Agreements in place with their customers and vendors.
Read on to see how the Relyance AI Platform can evaluate your entire contracts inventory instantaneously and automatically direct you to each contract that needs to be updated with the new SCCs...
Four key ways the new SCCs differ from the two legacy SCCs:
The old SCCs only accounted for two types of data transfers: controller-to-controller, and controller-to-processor, which left processors needing to export data out of the EU stuck without a compliant transfer mechanism. The new SCCs are modular by design, as they include terms that apply to any of the four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
The old SCCs only accounted for a relationship between two parties: a data exporter and a data importer. The new SCCs allow for additional parties to be added to an existing set of SCCs to account for large-scale intra- or extra-group data transfers among a number of individual organizations.
The new SCCs recognize a reality that the old SCCs did not: that some organizations who are not established in the EU, but are still subject to the GDPR due to their processing operations, also need to be able to transfer data out of the EU.
Following the Schrems II decision, which highlighted the difficulty in ensuring that personal data would be sufficiently protected in countries like the U.S. where local laws and government activity may present a privacy risk, the new SCCs require importers and exporters to undergo a risk assessment and warrant that the importer’s local laws will not stop it from complying with the requirements of the SCCs.
The Relyance AI Platform will help you navigate this difficult transition to the new SCCs. Through the use of Artificial Intelligence and Machine Learning, our Platform will analyze all of your contracts and identify which of them rely on the old SCCs for international data transfers and need to be updated. It will alert you to which of your contracts are relying on the old SCCs by raising an Intelligent Insight for each such contract. This revolutionary technology will free your legal and compliance teams from having to spend countless hours reviewing your entire contract repository in order to comply with the SCC requirements, allowing them to spend time on other matters, like supporting the growth and development of your business.
By Adam Roughley, Data Protection Lead
By now, most privacy professionals are aware that the European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, 2021. The new SCCs were developed and adopted as a result of two significant events in the data protection world: the passage of the General Data Protection Regulation (GDPR) in 2018, and the Court of Justice in the European Union’s (CJEU) ruling in the “Schrems II” case, which invalidated the EU-US Privacy Shield data transfer framework.
Under the GDPR, EU personal data may only be transferred to another country (or, once transferred, onward to a third country) if one of several requirements are met. In practice, this means that personal data is usually transferred either to a country designated by the European Commission as providing an “adequate” level of data protection, or via the use of “appropriate safeguards”, namely, SCCs or Binding Corporate Rules (BCRs). Since BCRs may only be used after completing a lengthy approval process with a European regulator, they are mostly used by very large, multinational companies. That leaves SCCs as the most commonly used mechanism to transfer data out of the EU to countries without “adequate” protections in place, including the United States, Australia, (and as of the date of this writing), the United Kingdom.
The first SCCs for controller-to-controller transfers were adopted in 2001 (and amended in 2004) and the first SCCs for controller-to-processor transfers were adopted in 2002 (and later amended in 2010). However, both sets of SCCs were issued in a pre-GDPR era, and lacked many of the protections and processing standards required by the GDPR. The “new” SCCs allow the old SCCs to be used for new data transfers until the end of September, and for existing data transfers until the end of 2022. That means, of course, that organizations must make sure their current and future data transfers that rely on SCCs are based on the new SCCs by December 31, 2022. For many organizations, that means they are about to (or have already begun) the tedious, manual process of reviewing and renegotiating the vast majority of their Data Processing Agreements in place with their customers and vendors.
Read on to see how the Relyance AI Platform can evaluate your entire contracts inventory instantaneously and automatically direct you to each contract that needs to be updated with the new SCCs...
Four key ways the new SCCs differ from the two legacy SCCs:
The old SCCs only accounted for two types of data transfers: controller-to-controller, and controller-to-processor, which left processors needing to export data out of the EU stuck without a compliant transfer mechanism. The new SCCs are modular by design, as they include terms that apply to any of the four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
The old SCCs only accounted for a relationship between two parties: a data exporter and a data importer. The new SCCs allow for additional parties to be added to an existing set of SCCs to account for large-scale intra- or extra-group data transfers among a number of individual organizations.
The new SCCs recognize a reality that the old SCCs did not: that some organizations who are not established in the EU, but are still subject to the GDPR due to their processing operations, also need to be able to transfer data out of the EU.
Following the Schrems II decision, which highlighted the difficulty in ensuring that personal data would be sufficiently protected in countries like the U.S. where local laws and government activity may present a privacy risk, the new SCCs require importers and exporters to undergo a risk assessment and warrant that the importer’s local laws will not stop it from complying with the requirements of the SCCs.
The Relyance AI Platform will help you navigate this difficult transition to the new SCCs. Through the use of Artificial Intelligence and Machine Learning, our Platform will analyze all of your contracts and identify which of them rely on the old SCCs for international data transfers and need to be updated. It will alert you to which of your contracts are relying on the old SCCs by raising an Intelligent Insight for each such contract. This revolutionary technology will free your legal and compliance teams from having to spend countless hours reviewing your entire contract repository in order to comply with the SCC requirements, allowing them to spend time on other matters, like supporting the growth and development of your business.
By now, most privacy professionals are aware that the European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, 2021. The new SCCs were developed and adopted as a result of two significant events in the data protection world: the passage of the General Data Protection Regulation (GDPR) in 2018, and the Court of Justice in the European Union’s (CJEU) ruling in the “Schrems II” case, which invalidated the EU-US Privacy Shield data transfer framework.
Under the GDPR, EU personal data may only be transferred to another country (or, once transferred, onward to a third country) if one of several requirements are met. In practice, this means that personal data is usually transferred either to a country designated by the European Commission as providing an “adequate” level of data protection, or via the use of “appropriate safeguards”, namely, SCCs or Binding Corporate Rules (BCRs). Since BCRs may only be used after completing a lengthy approval process with a European regulator, they are mostly used by very large, multinational companies. That leaves SCCs as the most commonly used mechanism to transfer data out of the EU to countries without “adequate” protections in place, including the United States, Australia, (and as of the date of this writing), the United Kingdom.
The first SCCs for controller-to-controller transfers were adopted in 2001 (and amended in 2004) and the first SCCs for controller-to-processor transfers were adopted in 2002 (and later amended in 2010). However, both sets of SCCs were issued in a pre-GDPR era, and lacked many of the protections and processing standards required by the GDPR. The “new” SCCs allow the old SCCs to be used for new data transfers until the end of September, and for existing data transfers until the end of 2022. That means, of course, that organizations must make sure their current and future data transfers that rely on SCCs are based on the new SCCs by December 31, 2022. For many organizations, that means they are about to (or have already begun) the tedious, manual process of reviewing and renegotiating the vast majority of their Data Processing Agreements in place with their customers and vendors.
Read on to see how the Relyance AI Platform can evaluate your entire contracts inventory instantaneously and automatically direct you to each contract that needs to be updated with the new SCCs...
Four key ways the new SCCs differ from the two legacy SCCs:
The old SCCs only accounted for two types of data transfers: controller-to-controller, and controller-to-processor, which left processors needing to export data out of the EU stuck without a compliant transfer mechanism. The new SCCs are modular by design, as they include terms that apply to any of the four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
The old SCCs only accounted for a relationship between two parties: a data exporter and a data importer. The new SCCs allow for additional parties to be added to an existing set of SCCs to account for large-scale intra- or extra-group data transfers among a number of individual organizations.
The new SCCs recognize a reality that the old SCCs did not: that some organizations who are not established in the EU, but are still subject to the GDPR due to their processing operations, also need to be able to transfer data out of the EU.
Following the Schrems II decision, which highlighted the difficulty in ensuring that personal data would be sufficiently protected in countries like the U.S. where local laws and government activity may present a privacy risk, the new SCCs require importers and exporters to undergo a risk assessment and warrant that the importer’s local laws will not stop it from complying with the requirements of the SCCs.
The Relyance AI Platform will help you navigate this difficult transition to the new SCCs. Through the use of Artificial Intelligence and Machine Learning, our Platform will analyze all of your contracts and identify which of them rely on the old SCCs for international data transfers and need to be updated. It will alert you to which of your contracts are relying on the old SCCs by raising an Intelligent Insight for each such contract. This revolutionary technology will free your legal and compliance teams from having to spend countless hours reviewing your entire contract repository in order to comply with the SCC requirements, allowing them to spend time on other matters, like supporting the growth and development of your business.
By Adam Roughley, Data Protection Lead
By now, most privacy professionals are aware that the European Commission adopted new Standard Contractual Clauses (SCCs) on June 4, 2021. The new SCCs were developed and adopted as a result of two significant events in the data protection world: the passage of the General Data Protection Regulation (GDPR) in 2018, and the Court of Justice in the European Union’s (CJEU) ruling in the “Schrems II” case, which invalidated the EU-US Privacy Shield data transfer framework.
Under the GDPR, EU personal data may only be transferred to another country (or, once transferred, onward to a third country) if one of several requirements are met. In practice, this means that personal data is usually transferred either to a country designated by the European Commission as providing an “adequate” level of data protection, or via the use of “appropriate safeguards”, namely, SCCs or Binding Corporate Rules (BCRs). Since BCRs may only be used after completing a lengthy approval process with a European regulator, they are mostly used by very large, multinational companies. That leaves SCCs as the most commonly used mechanism to transfer data out of the EU to countries without “adequate” protections in place, including the United States, Australia, (and as of the date of this writing), the United Kingdom.
The first SCCs for controller-to-controller transfers were adopted in 2001 (and amended in 2004) and the first SCCs for controller-to-processor transfers were adopted in 2002 (and later amended in 2010). However, both sets of SCCs were issued in a pre-GDPR era, and lacked many of the protections and processing standards required by the GDPR. The “new” SCCs allow the old SCCs to be used for new data transfers until the end of September, and for existing data transfers until the end of 2022. That means, of course, that organizations must make sure their current and future data transfers that rely on SCCs are based on the new SCCs by December 31, 2022. For many organizations, that means they are about to (or have already begun) the tedious, manual process of reviewing and renegotiating the vast majority of their Data Processing Agreements in place with their customers and vendors.
Read on to see how the Relyance AI Platform can evaluate your entire contracts inventory instantaneously and automatically direct you to each contract that needs to be updated with the new SCCs...
Four key ways the new SCCs differ from the two legacy SCCs:
The old SCCs only accounted for two types of data transfers: controller-to-controller, and controller-to-processor, which left processors needing to export data out of the EU stuck without a compliant transfer mechanism. The new SCCs are modular by design, as they include terms that apply to any of the four possible transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
The old SCCs only accounted for a relationship between two parties: a data exporter and a data importer. The new SCCs allow for additional parties to be added to an existing set of SCCs to account for large-scale intra- or extra-group data transfers among a number of individual organizations.
The new SCCs recognize a reality that the old SCCs did not: that some organizations who are not established in the EU, but are still subject to the GDPR due to their processing operations, also need to be able to transfer data out of the EU.
Following the Schrems II decision, which highlighted the difficulty in ensuring that personal data would be sufficiently protected in countries like the U.S. where local laws and government activity may present a privacy risk, the new SCCs require importers and exporters to undergo a risk assessment and warrant that the importer’s local laws will not stop it from complying with the requirements of the SCCs.
The Relyance AI Platform will help you navigate this difficult transition to the new SCCs. Through the use of Artificial Intelligence and Machine Learning, our Platform will analyze all of your contracts and identify which of them rely on the old SCCs for international data transfers and need to be updated. It will alert you to which of your contracts are relying on the old SCCs by raising an Intelligent Insight for each such contract. This revolutionary technology will free your legal and compliance teams from having to spend countless hours reviewing your entire contract repository in order to comply with the SCC requirements, allowing them to spend time on other matters, like supporting the growth and development of your business.
By Adam Roughley, Data Protection Lead