ARTICLE
23 September 2024

Upcoming EU Commission Consultation On New Standard Contractual Clauses For Data Transfers

The European Commission is launching a consultation on a long-awaited Standard Contractual Clauses (SCCs) module for data transfers to third-country controllers and processors directly subject to the GDPR.
European Union Privacy

The European Commission is launching a consultation on a long-awaited Standard Contractual Clauses (SCCs) module for data transfers to third-country controllers and processors directly subject to the GDPR. This initiative is crucial for addressing complexities in cross-border data transfers while ensuring the high level of data protection required under EU law is maintained.

What's new?

The Commission has already issued 4 modules of SCCs covering various transfer scenarios. However, a key issue has emerged: if a data importer is located outside the EEA but directly subject to GDPR, should SCCs still be required? It has been argued that if the importer is already bound by GDPR, SCCs might cause an inefficient duplication of obligations, potentially creating confusion for businesses trying to comply with overlapping legal requirements.

While there are unofficial indications from the Commission that SCCs may not be necessary for these scenarios, this is not yet a formal position. The European Data Protection Board (EDPB), however, has taken a much clearer stance. Accordingly, it has concluded that SCCs should indeed be required, even when the importer is subject to GDPR, as they address potential contradictions between foreign laws and EU regulations.

Why is this important?

This debate is not just theoretical but is already playing out in practice. Specifically, the recent Uber 290 million euros fine in the Netherlands highlighted the confusion around this issue. Uber argued that no SCCs were required for data transfers to its US operations because Uber Technologies Inc., as a joint controller with Uber B.V., was already subject to GDPR requirements. However, the Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens) rejected this argument, emphasizing that even importers under GDPR obligations could be subject to foreign laws that conflict with EU standards, reinforcing the need for SCCs in such scenarios.

The new SCC module aims to resolve this confusion by clearly outlining the obligations for third-country importers directly subject to GDPR. It will help ensure consistent compliance while avoiding the unnecessary duplication of requirements that could burden businesses.

What's next?

  • Public consultation: Planned for Q4 2024.
  • Draft adoption: Expected in Q2 2025.

As global data flows increase, it is critical for businesses to stay informed on this evolving regulatory landscape. Would you like to know more? Please reach out to our privacy and data protection law experts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More