Walter said that new EU-SCCs have been designed in a way to address issues highlighted in the CJEU’s ‘Schrems II’ ruling, as well as the related draft guidance the European Data Protection Board has produced on additional safeguards that may be required.
“In line with the Schrems II ruling, the draft new SCCs require organisations to assess local laws in countries where data is being exported to determine if level of protection is essentially equivalent to that guaranteed within the EU,” Walter said. “In this context, the revamped SCCs contain additional requirements on assessing third-county laws, transparency on disclosure requests of public authorities in those countries and notification of the exporter and/or supervisory authorities on possible non-compliances with the obligations under the SCCs, as well as enhanced associated documentation requirements.”
“Unlike the draft EDPB guidance, which is expected to be finalised this month, the SCCs do, however, permit organisations transferring data to third countries to assess the risks of the transfer in light of the specific circumstances of the transfer, including the nature of the data transferred, the type of recipient, the purpose of the processing. Even any reliable information on the application of the third-country law or documented practical experience of the data importer or exporter indicating the existence or absence of prior instances of disclosure requests from public authorities can be included in the risk assessment. It will be interesting to see whether or not the EDPB softens its guidance to allow for such a risk-based approach in assessing the lawfulness of transfers,” Walter said.
London-based data protection law expert Jonathan Kirsop of Pinsent Masons explained how the new EU-SCCs will impact UK-based businesses.
Kirsop said: “For UK businesses, it should be noted that the new SCCs are – of course – directly effective in respect of data transfers from the EEA only. The UK ICO though is expected to release its own version of the SCCs for transfers from the UK imminently. While there may be some local nuance, these are widely expected to follow the principles and scope of this new set of EU-SCCs. Further consideration will be needed where organisations transfer data from both the EU and UK to third countries, and wider guidance from the regulators welcome on whether one set of SCCs based on the EU version would represent an effective instrument ensuring protection under both the UK and EU GDPR. At this stage, UK businesses would not be required to execute SCCs as importers but this is contingent on the Commission’s draft adequacy decision being ratified by the end of this month.”
Walter said that the publication of the new EU-SCCs should spur businesses to map their data sharing and transfer activities, assess the risks of the transfers in light of the specific circumstances of the transfers and take measures accordingly, and stay informed on further EU and UK developments.
Pinsent Masons is hosting an online event on 24 June on the new SCCs and what they mean for data transfer between the EEA, UK and third countries. There is free registration for the event.