The EDPB will provide guidelines on data transfers to importers subject to the GDPR while the European Commission has confirmed that it intends to develop a new and specific set of Standard Contractual Clauses for data transfers to non-EU importers subject to Article 3(2) GDPR.
Data transfers of personal data to countries outside of the European Economic Area (EEA) have to meet certain requirements under the European General Data Protection Regulation (GDPR). If the so-called third country the personal data is transferred to, does not provide an adequate level of data protection, certain measures must be taken.
Ever since the Schrems II ruling and the invalidation of the Privacy Shield, such transfers have become significantly more complicated.
A common safeguard for data transfers to third countries are the so-called Standard Contractual Clauses (SCC). Just recently (4 June 2021) the EU Commission published the revised SCC under the GDPR. Almost simultaneously, the European Data Protection Board (EDPB) published the Recommendations on measures that supplement data transfer tools.
Implementing the revised SCC in accordance with the EDPB Recommendations is – to put it mildly – not an easy task. It appears, however, as if things will get even more intricate in the future.
The big Unknown: recital 7 vs. use of SCC
In recital 7 of the EU Commission's Implementing Decision, it is stated that the revised SCC can be used only if the processing in the third country is not subject to the GDPR:
"The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of the Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679."
This recital 7 has caused a lot of discussions and uncertainty among companies and advisers, since it seems that businesses would have to find solutions other than the revised SCC in cases where the processing by the recipient of the data (importer) in the third country falls within the scope of the GDPR. If, for example, an European online store uses a subcontractor in the United States and the US companies' data processing is subject to the GDPR (Article 3 (2) GDPR), the online store could not rely on the revised SCC as a transfer mechanism.
Another set of SCC as a solution?
The EDPB just published the minutes of its plenary meeting held in September 2021. According to the minutes (paragraph 2), the EDPB is expected to adopt guidelines regarding the relationship between the GDPR's extraterritorial reach and data transfer restrictions. Further, the minutes also state that subsequent to the adoption of these guidelines, the EU Commission will develop a new set of SCC to specifically address the transfer from the EEA to a foreign data importer who is already subject to the GDPR (Article 3(2) GDPR).
The minutes suggest that companies soon will have to deal with two different sets of SCC:
- the revised SCC released by the EU Commission on 4 June 2021 for transfers to data importers in third countries not subject to the GDPR, and
- yet to be drafted SCC for the transfer to importers in third countries that are subject to the GDPR.
How does this affect companies?
Although it is nice to see that there will be guidelines with regards to the interplay between the extraterritorial reach of the GDPR and transfer restrictions, for companies engaging in international data transfers, however, this development further complicates the already difficult process of assessing and documenting the risk of data transfers (Transfer Impact Assessment).
A lot of EU companies are still in the process of analyzing their international data flows and are in the midst of implementing the revised SCC. Soon, they will also have to manage different sets of SCC, depending on the data importer's activities.