EDPB to Provide Much Needed Clarification on New EU SCCs Scope for Importers Subject to the GDPR

Goodwin
Contact

Goodwin

The European Data Protection Board (EDPB) recently published Minutes of its last plenary meeting held in September, which sheds light on how the EDPB plans to address the biggest open issue of the new Standard Contractual Clauses (SCCs) — how importers subject to the General Data Protection Regulation (GDPR) could effect a data transfer given the new SCCs only apply to data importers who are not subject to the GDPR.

There has been much speculation as to the meaning behind this limitation, but the EDPB’s Minutes suggest the EDPB is planning to clarify that a cross-border transfer mechanism (e.g., the SCCs) is needed even when the data importer is already required to comply with the GDPR. Read more in our summary below.

THE UPCOMING EDPB GUIDANCE ON INTERNATIONAL TRANSFERS

As we described in our article here, the EDPB previously announced that they were working on guidance to clarify the interplay between the GDPR territorial scope and the GDPR’s rules on international transfers. In the recently published Minutes, the EDPB indicated that, after the guidance is adopted, the European Commission will develop a specific set of SCCs regarding transfers to importers subject to the GDPR. In doing so, we expect the EDPB will confirm that a transfer to a data importer already subject to the GDPR is a “restricted transfer” regulated by Chapter V of the GDPR. This interpretation is also consistent with the preferred position taken by the UK Information Commissioner’s Office (ICO) during its consultation on the UK SCCs (which closed on 7 October).

The EDPB statements suggest that there will be two sets of the new SCCs — one applicable to importers who are not subject to the GDPR (the SCCs released by the European Commission on June 4th this year), and the other applicable to importers who are subject to the GDPR, to be developed by the European Commission. We anticipate that the latter set of SCCs will include a “lighter” set of obligations on the data importer, given that the importer will already be subject directly to the GDPR, and will likely focus on regulating conduct in the case of requests by public authorities (similar to Section III of the new SCCs).

KEY TAKEAWAYS

Clarification on this point is very welcome. However, it now looks like businesses will face further administrative burden in assessing and implementing the correct documentation for data transfers, possibly managing different sets of SCCs depending on the activities of the importer.

The EDPB statements also come at an interesting time for businesses, who are still grappling with transfer impact assessments and managing their transition to the new SCCs. Businesses engaging in cross-border transfers of European data should keep a close eye on the EDPB’s and the ICO’s guidance and be prepared to review their data transfer strategy.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:

Goodwin
Contact
more
less

Goodwin on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.