The European Commission (the “Commission”) announced its plans to open a public consultation on the new Standard Contractual Clauses (“SCCs”) in the fourth quarter of 2024. The new SCCs will address the scenario where the data importer (controller or processor) is based outside of the European Economic Area (“EEA”) but is directly subject to the General Data Protection Regulation (“GDPR”) due to Art. 3(2) – offering goods and services to individuals in the EU or monitoring their behaviour within the EU.
Background
When the Commission adopted the 4 June 2021 SCCs for the transfers of personal data to third countries, the scope of these SCCs was limited to transfers from a data exporter subject to the GDPR to a data importer (controller or processor) who was not subject to the GDPR. The 2021 SCCs were not therefore designed for situations where both the data importer and exporter were directly subject to the GDPR. In its Guidelines 05/2021, the European Data Protection Board (“EDPB”) called for the Commission to prepare another set of SCCs to cover the gap.
Next steps
If the Commission will follow the EDPB commentary in Guidelines 05/2021, we expect the new SCCs to focus on the risks associated with the data importer being located in a third country: to address possible conflicting national laws and government access in the third country. The obligations under the new SCCs may incorporate the GDPR principles, information notice to data subjects about the transfers and the risks associated with transfers to a third country, detailed security measures for transfers, notification of data breaches, and provisions governing onward transfers.
What does this mean?
Recent EU supervisory authority decision(s) to impose significant financial penalties on organisations for failing to use appropriate safeguards when transferring personal data to third countries has shown that regulators are not afraid of rigorously enforcing compliance. Organisations cannot rely on the legal uncertainty that has been ongoing since the issuance of the 2021 SCCs to explain why they transfer personal data to third countries without adequate protections in place.
Until the new SCCs are published, organisations should ensure they carefully assess their data transfers, put in place appropriate safeguards either under the most-up-to-date version of the SCCs or use other transfer mechanisms that the GDPR provides for, and complete any transfer impact assessments, where necessary.
A recent decision by a data protection regulator confirms that derogations under Art. 49 GDPR must be relied upon on an exceptional basis. First of all, to rely on a derogation, transfers must not be repetitive. Further, when relying on the transfer for the performance of a contract with a data subject (Art. 49(1)(b) or for the conclusion or performance of a contract concluded in the interest of the data subject (Art. 49(1)(c), the exporter needs to ensure the necessity requirement is met, i.e. the main purpose of the contract could not be achieved without a transfer, and (2) there are no less intrusive alternatives available.