/ New Standard Contract Clauses

August 10, 2021

Jaime Urzúa
Alessandri Associate

2020 was a key year for the right to privacy. The pandemic introduced a series of challenges in relation to the use of personal health data and the rethinking of security in the digital environment with the rise of teleworking. Thus, this right became a protagonist on several fronts, one of which came to light in the middle of that year.

On July 16th, 2020, the Court of Justice of the European Union ruled in the Schrems II case, invalidating the Privacy Shield adequacy scheme for the cross-border flow of personal data and giving way to standard contractual clauses (the “SCCs”) as a basis for legitimizing the transfer of data to countries that do not have adequate legislation. It should be recalled that in this case a complaint was filed against Facebook Ireland because it was transferring personal data of its users to the United States, where such data could be subject to control by the National Security Agency or other investigative entities.

Consequently, the European Commission (the “EC”) took on the role of updating the SCCs with new ones. Almost a year later, in June 2021, the EC approved the new SCCs, which will replace the old ones and will allow to legitimize transfers of personal data from the European Economic Area to countries that do not have adequate data protection standards, in line with the 2018 GDPR. These changes result in greater certainty regarding the cross-border communication of this type of data, but increase the demands and requirements for those who process it.

One of the novelties in these new SCCs is that the regulation is modular, establishing four types of transfers between data controllers and data processors. Compliance work in companies will be essential to identify the reality of each business in relation to the ways of processing the personal data of customers, prospects and collaborators.

Regarding deadlines, the EC established that the new SCCs may be used as of June 27th, 2021, while the old SCCs will lose their validity on September 27th, 2021. In addition, organizations will have a vacancy period of 18 months to adapt the old SCCs for the new ones, which will expire on December 27th, 2022.

One of the main questions raised during Schrems II and still pending is whether these new SCCs will remain a “stopgap” solution or whether they will effectively move forward with raising the standard of compliance in those countries that still do not have adequate legislation to protect the processing of personal data. One of them is the United States, where several states are moving forward with new laws (a law was recently passed in the State of Colorado that will come into force in 2023). Another case is Chile, where we have been behind in this area since 2010, when our country became part of the OECD and undertook to raise its compliance standards.

These changes are moving in the right direction, so we must strengthen the adaptation of countries, both in the public and private sectors, to international best practices to treat personal data securely and in line with the challenges of this digital era.