Insights
Understanding CCS in the EU
The EU aims to significantly reduce greenhouse gas emissions, targeting a 55 percent reduction by 2030 compared to 1990, and climate neutrality by 2050.
Global | Publication | June 2021
The purpose of the New SCCs is to help companies legitimise the transfer of personal data originating in the EEA to countries outside the EEA whose data protection laws have not been found by the European Commission to offer adequate protection (Third Countries). They will also be a lawful mechanism for UK companies to use too.
The documentation published comprises both an Implementing Decision and an Annex setting out the New SCCs themselves. At the same time, the Commission also published a set of clauses for use between controllers and processors, although these are not the focus on this briefing. The new SCCs were updated to:
(a) allow for various types of transfers using a modular approach. In particular, the New SCCs now helpfully provide for processor-to-processor transfers;
(b) give the clauses a GDPR ‘face lift’, including to update cross references to legislation and to ensure alignment with the requirements of the GDPR; and
(c) address the requirements of the Schrems II judgement, noting however that use of the New SCCs do not remove the need to assess the laws of the relevant Third Countries and ensure any necessary supplemental safeguards are implemented. This is a point made clear in both the Implementing Decision and the New SCCs themselves.
The most controversial issue surrounding the new SCCs was how they would deal with the requirements of the Schrems II case. In particular, whether, as in the draft SCCs, the New SCCs would allow organisations to take a risk-based approach when making the local law assessment of a Third Country and therefore consider the “likelihood” that public authorities would in fact access the exported personal data. Fortunately, this provision remains in the New SCCs. However, there is a greater emphasis on ensuring that any practical experience that is considered as part of the assessment is “corroborated and not contradicted by publicly available… information on the absence of requests in the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies”. This emphasis on being able to provide supporting evidence when relying on practical experience seems to be a nod to the stricter position put forward in the Joint Opinion. It will be interesting to see where the EDPB and EDPS lands on this point in their final guidance on the Schrems II judgment, which is expected in a few weeks. (Clause 14).
The provisions on challenging public authority access requests are also largely unchanged since the previous draft, although clause 15.2 expands what the importer must take into account when considering the legality of the request and whether to challenge it. (Clause 15)
(a) the obligations on data processors now include all elements required under Art 28 GDPR;
(b) the obligation on importer controllers to notify data protection authorities now applies if a personal data breach is likely to result in a risk to the rights and freedoms of natural persons and the obligation to notify data subjects of personal data breaches is also now aligned to Art 34 GDPR. (Module 1, clause 8.5(e) and (f));
(c) the obligation to implement appropriate technical and organisational safeguards is now more closely aligned to Art 32 GDPR. (Module 1, clauses 8.5; Modules 2 and 3, clause 8.6; Module 4, clause 8.2);
(d) the timeframe within which importer controllers mist deal with data subject rights. (Module 1, clause 10); and
(e) the liability regime (Clause 12).
The majority of changes in the New SCCs (when compared to the earlier draft) provide useful clarification. It will also be helpful for companies to see that the Commission broadly retains its original position on companies being able to take into account the “likelihood of access” argument when assessing Third Country laws.
However, companies should not lose sight of the fact that these New SCCs impose some onerous obligations and the parties relying on them will need to quickly consider how they will comply with the non-negotiable obligations in practice, especially as they will replace the current SCCs for all new transfers in just 3 months.
Companies must also remember that the New SCCs are just part of the export picture following Schrems II. Their use sits alongside the requirement for companies to clearly understand where personal data is being sent and accessed from, the roles of the receiving parties (e.g. controllers or processors), the requirement to assess the laws of the relevant Third Countries and to understand whether any additional technical safeguards are required alongside the New SCCs. The picture remains complex.
Click here to watch an on-demand webinar where we discussed the new SCCs and their impact in more detail.
Insights
The EU aims to significantly reduce greenhouse gas emissions, targeting a 55 percent reduction by 2030 compared to 1990, and climate neutrality by 2050.
Publication
On August 1, 2025, the UK Supreme Court delivered its long-awaited judgment in Hopcraft v Close Brothers Limited and on 3 August the FCA announced it would consult on a redress scheme.
Publication
The European Banking Authority (EBA) is currently consulting on its draft guidelines on the sound management of third party risk (Draft Guidelines), which are intended to replace the 2019 guidelines on outsourcing arrangements (2019 Guidelines).
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025