Transferring private information from one EU Member State to one other doesn’t entail any formalities as well as to the primary and established necessities of the EU Basic Data Safety Regulation (GDPR). The explanation for it’s because all EU Member States are, by default, deemed to supply an ‘sufficient stage of safety due to the strong and principally harmonised privateness legal guidelines in place. The identical can largely be stated about nations inside the European Financial Space (EEA).
Transfers of private information from the EU to the so-called white-listed third nations (which now additionally contains the United Kingdom) are additionally comparatively easy for the identical purpose, particularly, that the EU deems these nations to supply an sufficient stage of safety.
What’s difficult is, effecting an information switch to a 3rd nation (exterior the EU/EEA) when such nation is just not ‘white-listed’. Such transfers have to be allowed on the foundation of the restrictive guidelines rising from the GDPR itself.
The EU Fee’s Normal Contractual Clauses (SCC) is one of a number of methods of legitimising such transfers of private information to third nations. Following a number of delays and issues with the previous SCCs (nonetheless referring to the earlier authorized regime reasonably than the GPDR), these have now lastly been revamped. Going ahead, events transferring or intending to switch private information to third nations shall quickly (topic to the transitory intervals) be required to incorporate the newly launched SCCs issued by the European Fee, except one other switch technique or derogation will be recognized. Such different strategies or derogations transcend the scope of this temporary article.
Up to date SCCs
The up to date SCCs are, partly, a response to the landmark Schrems II resolution of the CJEU (Case C-311/18) which, apart from highlighting sure inadequacies in the “previous” SCCs, declared the EU-US Privateness Defend to be invalid. One of the principal goals of the new SCCs is to incorporate phrases that put sure safeguards in place to grant a minimal stage of safety for worldwide transfers of private information in step with the necessities of the GDPR.
Notably, the new SCCs introduce measures to tackle requests to entry private information by public authorities situated in third nations through which information might reside. For instance, an information importer should, if affordable grounds exist, problem a request for entry by a public authority. The up to date SCCs have now been up to date in mild of the GDPR.
The SCCs now incorporate the following modules that are relevant in accordance to the information processing roles of the events:
Module 1: Controller to controller
Module 2: Controller to processor
Module 3: processor to processor
Module 4: processor to controller
Subsequently, controllers or processors exporting information exterior the EU/EEA want solely incorporate the clauses discovered inside the module relevant to them. This actually provides some readability in comparison to the previous SCCs which didn’t cowl the conditions envisaged in Modules 3 and 4.
Apparently, Article 1 of the Fee’s implementing resolution implies that the SCCs are solely relevant the place the information importer (controller, processor or sub processor) is just not topic to the GDPR. A strict studying of this might subsequently indicate that the SCCs shall not be needed the place the information importer is already topic to the GDPR on an extra-territorial foundation, corresponding to the place a non-EU entity targets EU information topics (in phrases of Article 3(2) GDPR). The EDPB’s opinion or different authoritative elucidation on this matter could be welcomed.
Efficient dates and transitory interval
The SCCs grew to become efficient as of 27th June 2021. Nonetheless, the European Fee has allowed a transitory interval of 18 months, permitting entities to proceed to use the previous SCCs till the finish of such interval since many contracts which apply the previous SCCs are already in drive. Furthermore, the Fee has allowed entities some room to develop into aware of the new SCCs by permitting a three-month transition interval whereby any new processing actions can nonetheless be carried out utilizing the previous SCCs. In different phrases:
- The brand new SCCs can be utilized as of 27th June 2021
- Any new contracts signed after the 27th September 2021 should essentially incorporate the new set of SCCs
- Any present contracts incorporating the previous SCCs have to be up to date by the 27th December 2022.
The brand new SCCs have already acquired their justifiable share of criticism, not least by Max Schrems himself:
Sadly, evidently these new SCCs usually are not the ‘magic wand’ that some might need wished them to be. In some circumstances, merely inserting the SCCs right into a contract is just not enough, particularly when transferring private information to third nations corresponding to the USA, which has sure problematic nationwide legal guidelines that battle with the norms enshrined in the GDPR.
The brand new SCCs don’t resolve this concern and any EU entities intending to switch private information to nations like the USA should take this into consideration and take applicable measures to safeguard towards it -such as for example encrypting or pseudonymising the private information prior to sending it to such nations, or as a final resort, choosing a service supplier situated in a special nation altogether. That’s, of course, a fragile industrial matter that won’t be debated right here.