ARTICLE
16 September 2024

New Standards Contractual Clauses For The International Transfer Of Personal Data Coming Up In 2025

SJ
Steptoe LLP

Contributor

In more than 100 years of practice, Steptoe has earned an international reputation for vigorous representation of clients before governmental agencies, successful advocacy in litigation and arbitration, and creative and practical advice in structuring business transactions. Steptoe has more than 500 lawyers and professional staff across the US, Europe and Asia.
The European Commission has recently announced its intention to adopt new Standard Contractual Clauses (SCCs) for the transfer of personal data to controllers and processors...
European Union Privacy

The European Commission has recently announced its intention to adopt new Standard Contractual Clauses (SCCs) for the transfer of personal data to controllers and processors based outside of the European Economic Area (EEA) and subject to the General Data Protection Regulation (GDPR) by the second quarter of 2025. Additionally, a public consultation on these clauses will commence in the fourth quarter of 2024.

As a reminder, on June 4, 2021, the European Commission adopted the SCCs for the transfer of personal data to third countries pursuant to the GDPR. However, the scope of these SCCs is limited to "the transfer by a controller or processor of personal data processed subject to [GDPR] (data exporter) to a controller or (sub-)processor whose processing of the data is not subject [GDPR] (data importer)." This limitation renders them unsuitable for situations where both the data exporter and data importer are subject to the GDPR.

In its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, the European Data Protection Board (EDPB) urged the European Commission to prepare a new set of SCCs covering the scenario where both the data exporter and the data importer are subject to the GDPR.

Despite this call to action nearly three years ago, the European Commission has not yet addressed the EDPB's request, leaving organizations in a state of legal uncertainty regarding the transfer of personal data between entities both subject to the GDPR. The European Commission's planned initiative for 2025 has thus been long-awaited and will hopefully address this legal gap.

In its Guidelines 05/2021, the EDPB emphasized that this new set of SCCs should not replicate GDPR obligations but rather focus on elements specifically related to the risks associated with the data importer being located in a third country. These risks include potential conflicting national laws, government access in the third country, and difficulties in enforcing and obtaining redress against an entity outside the EU.

In summary, stay on the lookout and keep the issue of international data transfer on your radar for 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More