Thursday, 21 November 2024

European Union’s Standard Contractual Clauses (SCC)

On 21 March 2022, the United Kingdom finalized the adoption of its own version of the European Union’s Standard Contractual Clauses (SCC), a contractual mechanism aiming at securing personal data protected under a data protection framework to third countries not deemed to offer an “adequate” level of data protection.

An updated document for transfers initiated under the UK General Data Protection Regulation (GDPR) was needed following the Schrems II decision, which occurred while the United Kingdom was still an EU member state and which the European Union fixed by adopting new versions of the SCC in June 2021 but only after the United Kingdom had finalized Brexit.

The United Kingdom’s draft International Data Transfer Agreement (IDTA) and Addendum were laid before Parliament on 22 February 2022 and finally adopted on 21 March 2022 without changes. The IDTA is an equivalent contract to the SCC but uses a tabular approach in place of the modules used by the SCC. The alternative instrument that was introduced, the Addendum, provides UK data exporters with a semi-seamless mechanism where they can leverage their existing SCC for transfers initiated under the EU GDPR.

Transfer From The European Union To The United States: En Route For Schrems Iii?

On 25 March 2022, European Commission President Ursula von der Leyen and United States President Joe Biden announced an “agreement in principle” on a new EU-U.S. data sharing system, expected to replace the Privacy Shield framework invalidated under the Court of Justice of the European Union’s (CJEU) Schrems II decision in 2020 (see our alert here).

As no draft of that “agreement” has been circulated, the existing grievances against U.S. intelligence agencies’ access to personal data protected under GDPR remain and concerns relating to ‘effective legal remedies available to individuals protected under GDPR will need to be addressed. 

While such a political statement is encouraging for the future of international data transfers, this announcement should not be construed as relieving companies subject to GDPR’s territorial scope (see our alert here) from implementing adequate data transfer mechanisms until more concrete elements are adopted.

Direct Publication Source: https://www.natlawreview.com/article/international-personal-data-transfers-eventful-week

Comments


You May Like These Too


Get Latest Updates