Standard Contractual Clauses have become even more critical - are you ready?

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in the Schrems II case in which it invalidated the EU-US/Swiss-US Privacy Shield Framework (Privacy Shield).  In the same decision, the CJEU confirmed that Standard Contractual Clauses (SCCs) remain a valid data transfer mechanism when transferring personal data outside of the European Economic Area (EEA). Given this decision, organizations that rely on Privacy Shield will need to implement an alternative data transfer mechanism to continue transfers of personal data to the United States. 

The ruling in the Schrems II case does not affect Box's or our customers' ability to continue using Box in compliance with European law.

Standard Contractual Clauses Have Never Been More Critical

Box has historically offered customers an overlapping set of legal mechanisms and frameworks for data transfers outside of the EEA:  (1) Controller and Processor Binding Corporate Rules (BCRs), (2) Privacy Shield, and (3) SCCs. 

SCCs are a set of contractual terms and conditions issued by the European Commission that the Controller and Processor of personal data both agree to and provide an appropriate safeguard for data transfers under Article 46 of the General Data Protection Regulation (GDPR). Now that Privacy Shield has been struck down, and in light of the uncertainty around the impact Brexit will have on our ability to rely on BCRs post-December 31, 2020 for data transfers between the United Kingdom, EEA and the US, SCCs have become even more critical for our customers' continued compliance with EU and UK data privacy and data transfer laws.

Take Action Now

To make it easy for our EEA and UK customers to continue to maintain a lawful data transfer mechanism, Box is updating its Data Processing Addendum (DPA) to include SCCs.

Whether you're an existing Box customer with a DPA or a new or existing customer without a DPA, Box can provide you with SCCs. With the invalidation of Privacy Shield and the approaching end of the Brexit transition period on December 31, 2020, customers should take action to complete SCCs now. 

Customers with a DPA

Impacted customers that have an existing DPA will receive an in-app notification and direct email to review and execute the SCC addendum. If you believe you are an impacted customer and have not received such a notice, please email 

Customers Without a DPA

Impacted customers without an existing DPA will also receive an in-app notification and direct email to review and execute the DPA. Customers can also review our online self-serve, easy-to-execute DPA by visiting the Box GDPR website. The DPA is available at no cost and comprehensively lists all the approved mechanisms for transfers of personal data. If you have any questions regarding the DPA and/or the SCC addendum, please email

Box is committed to protecting the privacy of personal data. We want to ensure Box offers the most flexible options to customers when it comes to transfers of personal data while maintaining compliance with European data protection law. Customers impacted by the Schrems II decision and Brexit will receive an email communication with the applicable revised DPA or SCC addendum (collectively, "Agreement") attached. 

Please review and execute the Agreement. If you continue to use the Box services provided under the relevant DPA or other agreement already in place 30 days after issuance, we will consider you to have consented to the Agreement, and its terms will thereafter apply. Should you have any questions, or to exercise your right to object under GDPR, please email us at

To learn more about SCCs as data transfer mechanisms, please refer to the following resources: