Proposed Revamp of Standard Contractual Clauses Welcomed, With Reservations
Draft provisions updating personal data transfer rules to non-EU countries brought cheers but also some concerns from stakeholders. A European Commission consultation on updating standard contractual clauses (SCCs) ended Thursday with about 150 responses. SCCs required modernization under the European…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Court of Justice in Schrems II, which threw out trans-Atlantic data transfer mechanisms in the Privacy Shield (see 2009100001. The draft clauses, floated Nov. 23, aim to align SCCs with the EU general data protection regulation and the court judgment (see 2011200003). Stakeholders generally welcomed several aspects of the draft. ICANN, the Computer & Communications Industry Association (CCIA), the European Internet Services Providers Association (EuroISPA) and the Information Technology Industry Council, among others, praised its risk-based approach to situations where data importers subject to foreign data disclosure laws may have to gauge whether they're likely to receive such requests in deciding whether to use SCCs. That approach "lies at the heart of ICANN community's efforts to develop a mechanism for enabling access to non-public generic top-level domain registration data," the internet body said: "Following this approach seems to be both a realistic and reasonable route to enable global data transfers while meeting other important objectives ... such as public security, crime prevention and investigation, or the enforcement of civil law claims." EuroISPA and the European Consumer Organisation, however, worried the draft SCCs would require companies to take into account the specific circumstances of a transfer, including subjective factors, when the European Data Protection Board and the ECJ said they must rely on objective factors when assessing the law in a data importer's jurisdiction. Vodafone pressed the EC to give companies tools and assurances on how to assess whether surveillance laws and practices in countries without an EC data protection adequacy decision put data subjects' privacy at risk, it said. Several commenters, including the Software & Information Industry Association, BSA|The Software Alliance and CCIA, said the one-year transition period to the new SCCs is too short and would unfairly burden smaller companies. ACT|The App Association, which represents small and midsize application developers, said: "Due to their complexity and implementation burdens, the updated SCCs would not and cannot serve as a replacement for the Privacy Shield for our small business members."