If your company uses Google advertising services, you likely received an email earlier this week (an example of which is appended to the bottom of this post) indicating that Google has updated its data processing terms (“Google terms”) to incorporate the new Standard Contractual Clauses (“SSCs”). The new Google terms (different versions where Google acts as processor versus controller) replace the old Google terms: (i) immediately for any company that accepts the new Google terms (i.e., by logging in and using Google’s services); or (ii) automatically on October 27, 2021 for any company that has not accepted the new Google terms by that date, but previously accepted the old Google terms.  

Google is just one of many vendors rolling out updates this week to its online terms to address the new SCCs. As of this post, Facebook, Salesforce, and Amazon have also updated their terms. Similar to other mass rollouts of new terms, this rollout is due to a change in data protection law, specifically EU law.

Earlier this summer, the European Commission issued new SCCs (also known as “model clauses”) to replace the aging SCCs last updated more than a decade ago. As a quick primer, SCCs are EU-endorsed contracts that facilitate the transfer of personal data from the EU to companies based in countries outside the EU that do not have an adequate level of data protection (as defined by the EU). Per the European Commission, all new contracts that involve the transfer of personal data from the EU that rely on SCCS must use the new form SCCs as of September 27, 2021.

If your company is based in the US, you’ve probably encountered SCCs in many of your contracts since the US is not considered adequate under EU law. The new SCCS are quite a bit more complex than the old SCCs, and require some significant thought and due diligence in order to fill them out. SCC terms are not changeable, with some exceptions. The SCCS are now modular, meaning that they can be tailored to whether the transfer is between a controller and a processor, two controllers, or two processors, and where the parties are located. The SCCs also include three Annexes that must be filled out to describe the data transfer, the security measures taken by the data importer, and the sub-processors used by the data importer.

As part of issuing the new SCCs, the European Commission set a deadline by which companies must update their old contracts to include the new SCCs. The deadline to update to the new SCCs is December 27, 2022.

If your company historically has relied on SCCs, you should, among other things:

  • Review the new SCCs and understand the respective obligations therein.
  • For any contracts moving forward involving personal data from the EU, execute the new SCCs.
  • For any contracts executed before September 27, 2021 involving personal data from the EU, review whether they have already been updated to address the new SCCs. Many vendors have automatically updated their agreements. Any outstanding contracts will need to be updated with the new SCCs by December 27, 2022.