The European Commission late last week adopted two sets of standard contractual clauses for international data transfers between controllers and processors and for transfers of personal data to third countries.

The clauses - known as Standard Contractual Clauses or SCCs - factor a few recent machinations in the European data protection world, including a recent decision made in the case Schrems II in the Court of Justice of the European Union’s (CJEU) along with new requirements under the General Data Protection Regulation, or GDPR.

while the European Commission announced the new clauses on Friday, they won't become official until 20 days after they've been published in the EU's Official Journal, something which is scheduled to happen in the coming days. if you're a controller or processor that's already in the middle of using the older sets of standard contractual clauses, the EC says you'll be given an 18-month transition period.

The tools should help businesses ensure compliance with local requirements for safe data transfers and, according to the European Commission, 'address the realities faced by modern business'

As mentioned, the changes includes change confirmed by the EU's Court of Justice last summer. almost a year ago, on July 16, the CJEU determined the validity of the controller–to-processor Standard Contractual Clauses as a cross-border data transfer mechanism under GDPR, something which invalidated the EU/US Privacy Shield. That decision stemmed from Schrems II, also known as Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, a case in which it was alleged Facebook violated EU law when it transferred personal data to the U.S.

The new SCC upholds the idea that international data flows under the European Union’s General Data Protection Regulation (GDPR) can continue to be based on EU Standard Contractual Clauses

According to the European commission, the new clauses also do the following:

• Update in line with the General Data Protection Regulation (GDPR);
• One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
• More flexibility for complex processing chains, through a ‘modular approach' and by offering the possibility for more than two parties to join and use the clauses;
• Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures', such as encryption, that companies may take if necessary

When it comes to the relationship between controllers and processors, as we’ve seen, the European Commission has the ability to adopt SCCs as a means to demonstrate GDPR compliance. it can also adopt SSCs to help bolster data protection safeguards for data transferred internationally.

Full text from both standard contractual clauses – transferring of personal data to third countries - can be found here and – and between controllers and processors - here.

“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it," Vice-President for Values and Transparency, Vera Jourová said in a statement on Friday, "The modernised Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”