The European Commission has recently announced its intention to adopt new Standard Contractual Clauses (SCCs) for the transfer of personal data to controllers and processors based outside of the European Economic Area (EEA) and subject to the General Data Protection Regulation (GDPR) by the second quarter of 2025. Additionally, a public consultation on these clauses will commence in the fourth quarter of 2024.
As a reminder, on June 4, 2021, the European Commission adopted the SCCs for the transfer of personal data to third countries pursuant to the GDPR. However, the scope of these SCCs is limited to "the transfer by a controller or processor of personal data processed subject to [GDPR] (data exporter) to a controller or (sub-)processor whose processing of the data is not subject [GDPR] (data importer)." This limitation renders them unsuitable for situations where both the data exporter and data importer are subject to the GDPR.
In its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, the European Data Protection Board (EDPB) urged the European Commission to prepare a new set of SCCs covering the scenario where both the data exporter and the data importer are subject to the GDPR.
Despite this call to action nearly three years ago, the European Commission has not yet addressed the EDPB's request, leaving organizations in a state of legal uncertainty regarding the transfer of personal data between entities both subject to the GDPR. The European Commission's planned initiative for 2025 has thus been long-awaited and will hopefully address this legal gap.
In its Guidelines 05/2021, the EDPB emphasized that this new set of SCCs should not replicate GDPR obligations but rather focus on elements specifically related to the risks associated with the data importer being located in a third country. These risks include potential conflicting national laws, government access in the third country, and difficulties in enforcing and obtaining redress against an entity outside the EU.
In summary, stay on the lookout and keep the issue of international data transfer on your radar for 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.