Key Differences between the Old SCCs and New SCCs
The old SCCs were drafted in response to Directive 95/46/EC (1995), the main EU privacy law until 2016 when it was replaced by the GDPR. The new SCCs mirror many of the requirements and principles of the GDPR, including extraterritoriality. The old SCCs came in two separate documents, one for the cross-border transfer of personal information from controller to controller, and one for the cross-border transfer of personal information from controller to processor. The new SCCs, however, come in one document but are divided into four Modules to account for four (instead of only two) cross- border transfer scenarios. Module One addresses the cross-border transfer of personal information from controller to controller, Module Two addresses the cross-border transfer of personal information from controller to processor, Module Three addresses the cross-border transfer of personal information from processor to sub-processor, and Module Four addresses the cross-border transfer of personal information from processor to controller. While many of the responsibilities and data processing principles under the new SCCs remain the same, some of the key differences from the old SCCs include, but are not limited to: •more responsibilities and shifting burdens to data importers (e.g., additional representations and warranties, onward transfer obligations, notification and recordkeeping requirements, as well as new sensitive data and accuracy obligations, and expanded security and data breach requirements); • for data importers who are data processors, Modules Two and Three also incorporate the compulsory clauses of the GDPR mentioned above in Set One; • more direct liability to both individuals and authorities in Europe for data importers; 148
Made with FlippingBook - Online Brochure Maker