EC Unveils Revamped Clauses for Data Transfers
New provisions for data transfers will give businesses more legal certainty, the European Commission said Friday as it published its long-awaited revamped standard contractual clauses. One SCC set is for use between data controllers and processors, a second is for personal data transfers to third countries. They take into account new requirements under general data protection regulation and the European Court of Justice ruling in Schrems II, which annulled Privacy Shield, the EC said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Key changes from the original SCCs update protections to align with GDPR, cover a wide range of transfer scenarios instead of necessitating use of separate sets of clauses, and give practical actions companies must take to comply with the ECJ judgment, plus possible "supplementary measures" such as encryption. Companies using former versions of SCCs have 18 months to shift to the new ones.
Industry reaction was positive.
"Unlike its predecessor, the new SCCs can be used by a wider range of companies in different data transfer scenarios," said the Computer & Communications Industry Association. CCIA Public Policy Senior Manager Alexandre Roure urged the EU to quickly "conclude its data transfer negotiations with its main trading partners." Like CCIA, the Information Technology Industry Council urged EU leaders to stay focused on a new Privacy Shield agreement.
The two most important changes are new flexibility that enables businesses to enter into the same SCCs covering new kinds of transfers, and new obligations to assess transfer risks case by case, emailed Linklaters data protection attorney Tanguy Van Overstraeten. Determining the effect of a data importer's local laws is a "difficult and expensive exercise as some local law enforcement and national security laws are complex and obscure," he noted: The requirements will be "very burdensome" for smaller enterprises that will now be faced with additional paperwork coming after GDPR implementation three years ago. That could increase the trend toward data localization in Europe and could limit access to more affordable technologies for European players, Van Overstraeten said: An adequacy mechanism like Privacy Shield would obviously be far less onerous for business, but achieving a long-term replacement "is going to take time."