Privacy & Information Security Law Blog

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) to be used for the transfer of personal data from a controller or processor subject to the EU General Data Protection Regulation (“GDPR”) (i.e., a data exporter) to a controller or (sub-)processor not subject to the GDPR (i.e., a data importer).

The European Commission (the “Commission”) issued its draft on November 12, 2020, updating the SCCs to align with the GDPR and taking into account the requirements of the Court of Justice of the European Union Schrems II ruling of July 16, 2020. That ruling confirmed the validity of SCCs as a transfer mechanism but required organizations relying on them to assess the laws of the recipient country on a case-by-case basis in order to verify the effectiveness of the transfer mechanism in ensuring compliance with EU data protection requirements, and consider additional safeguards and supplemental measures where necessary.

Once finalized, the updated SCCs will replace the existing set, continuing to allow organizations to demonstrate appropriate safeguards for data transfers to third countries in the absence of an adequacy decision (subject to the requirements of the Schrems II ruling).

CIPL welcomed the opportunity to comment on the draft and highlighted the following points, among others, to the Commission:

• The interplay between the SCCs and Chapter V of the GDPR (relating to international transfer) and Article 3(2) GDPR (relating to its territorial scope) should be clarified;
• The need for Module 4, intended to cover transfers of EU processors to non-EU controllers, should be further explored;
• The language and core GDPR concepts used in the SCCs should be fully aligned and consistent with the GDPR;
• The Commission should provide an FAQ document to address the most common questions regarding the SCCs;
• The one-year period implementation period for the SCCs should be extended;
• A standard of reasonableness with regard to the obligation to challenge requests from third-country governments should be added; and
• The provisions of the SCCs that would create a direct relationship between sub-processors and controllers and/or data subjects should be removed.

Download a copy of CIPL’s full response.