Out-Law / Your Daily Need-To-Know

Global businesses to get GDPR compliance help with new EU SCCs

Eduard Muzhevskyi/Science Photo Library via Getty Images.

20 Sep 2024, 3:17 pm

Confirmation of a forthcoming consultation on new standard contractual clauses (SCCs) will be welcomed by multinational businesses seeking help in importing personal data from the EU in a way that complies with EU data protection laws, an expert has said.

Malcolm Dowden of Pinsent Masons was commenting after the European Commission confirmed that it plans to request public feedback on new SCCs under the General Data Protection Regulation (GDPR) sometime during the fourth quarter of 2024.

The transfer of personal data across borders is common in the everyday operations of multinational businesses, but strict rules govern such transfers in many jurisdictions. In the EU, the restrictions apply to transfers from the EU to jurisdictions outside of the European Economic Area (EEA) and are outlined under Chapter V of the EU GDPR.

Chapter V provides legal bases – or transfer tools – for businesses to transfer personal data outside of the EEA. These include adequacy decisions; standard contractual clauses (SCCs) and other “appropriate safeguards”; binding corporate rules; and derogations for specific situations.

SCCs were first adopted by the European Commission in 2004 and 2010 but the Commission moved to update them in 2021 following a ruling by the Court of Justice of the EU in 2020 in the so-called ‘Schrems II’ case, which highlighted the due diligence that is necessary around data transfer arrangements and cast doubt on whether the earlier versions of the SCCs were in fact sufficient for enabling EU data protection law compliance.

The 2021 SCCs, however, are expressly not available for use where the data importer or recipient is directly subject to the EU GDPR. This will be the case where the importer or recipient is based in a third country but has an “establishment” in the EU – which could be as minimal as a single agent, as the concept does not require incorporation or physical premises – or because they offer goods or services or monitor data subject behaviour in the EU.

Dowden said that this has meant there are a large number of organisations around the world who wish to import personal data from the EU but cannot rely on SCCs to facilitate those data flows.

Dowden said: “Some organisations have considered using the derogations provided for in Article 49 of the GDPR as the basis for transfers where SCCs cannot be used. However, EU data protection authorities and the Information Commissioner’s Office (ICO) in respect of equivalent UK GDPR provisions have emphasised that derogations are for use only in exceptional circumstances, and cannot be used to support ‘business as usual’ data transfers. That leaves either bespoke contract terms, specifically approved by an EU data protection authorities and/or the ICO, or binding corporate rules, which also require regulator endorsement. Obtaining approval is a long and expensive process, however, and is beyond many organisations.”

“In 2021 the Commission promised it would issue a new, separate set of SCCs that could be used where the data importer or recipient is directly subject to GDPR. The proposed consultation is a significant step towards the long-awaited fulfilment of that promise. Once available, the new SCCs would remove a point of great uncertainly and enforcement risk for organisations transferring personal data to countries other than the very small number considered ‘adequate’ by the Commission,” he said.