Last week, following a lengthy review, the European Commission has finally approved an updated version of the Standard Contractual Clauses (SCCs) to govern data transfers. Companies will have approximately 18 months to overhaul and adapt their data agreements and privacy practices to meet the requirements of the new SCCs.
This may be a familiar situation for US-based and other non-EU companies. Back in 2018, the General Data Protection Regulation (GDPR) was passed in Europe and permanently changed the privacy legal landscape for both EU companies as well as companies abroad. Non-EU companies who did not normally fall under the jurisdiction of EU authorities suddenly found themselves subject to the extra-territorial scope of the GDPR. Even more, other non-EU companies outside the direct scope of GDPR found themselves indirectly subject to GDPR, due to their receipt and processing of EU personal data. Given the hefty fines that can be levied for violations of GDPR, companies had no choice but to overhaul their data agreements and privacy practices to comply.