News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | What to expect on revised standard contractual clauses Related reading: Post-‘Schrems II’: Understanding Baden-Württemberg’s updated guidance on international data transfers

rss_feed

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in early September, Commissioner for Justice Didier Reynders expressed hope that the long-awaited revision of standard contractual clauses would be finalized by the end of this year. 

This statement undoubtedly caught the attention of the privacy community. Many privacy professionals are under intense pressure from their organizations to continue with the transfer of EU personal data to countries outside of the EU. At the same time, they need to comply with a series of additional measures imposed by the Court of Justice of the European Union in the "Schrems II" decision. 

This creates great pressure and uncertainty. Amid this pressure, privacy professionals are looking for any guidance and certainty that regulators can provide. The revised SCCs are seen as part of the solution, although we hasten to add it is unlikely they alone will address all the requirements imposed by the “Schrems II” decision. 

By way of background, SCCs are one of several methods that companies can put in place to legally transfer EU personal data to recipients outside of the EU. They are not the only method but certainly one of the more frequently used methods. The IAPP’s 2019 Governance Survey found that 88% of respondents whose organizations move personal data out of the EU rely on SCCs.

There are two sets of SCCs: one that deals with international transfers of EU personal data to processors, and another that deals with transfers to controllers. All currently existing SCCs were issued under the 1995 Data Protection Directive, the predecessor of the EU General Data Protection Regulation.

The original 2002 controller-to-processor SCCs were revised by the European Commission in 2010 to address issues raised by the ever-increasing globalization, outsourcing and subcontracting of personal data. The original 2001 controller-to-controller SCCs were supplemented in 2004 by an alternative set of clauses that were perceived to be more business-friendly on issues such as allocation of responsibilities and auditing requirements. The alternative set of SCCs was developed by a coalition of business associations and accepted by the European Commission because, in the eyes of the commission, this new set of clauses offers the same level of protection to EU personal data as the original SCCs.

The upcoming revision of the SCCs that Reynders referred to in his statement at the LIBE Committee has been in the works for quite some time. The revision process was initially prompted by the need to adjust the SCCs to align more directly with the GDPR. The European Commission, however, chose not to finalize the revision process and release the new SCCs prior to the conclusion of the “Schrems II” case, recognizing that the decision could necessitate additional changes.

As we all know, the CJEU upheld the validity of the SCCs but indicated that the data controller must conduct a case-by-case assessment of the protection that SCCs can provide, taking into account the nature of the data that is transferred, country of destination and type of company to which the data is transferred.

It is unknown what the new SCCs will say on “Schrems II.” A draft is circulating within the European institutions for review and not yet publicly available. It would be surprising if the new SCCs did not address the CJEU decision, but it may be overly optimistic to think that they will provide the much-needed certainty that privacy professionals are looking for. The additions are likely to be reasonably high level and generic and unlikely to replace the case-by-case assessment that the “Schrems II” decision seems to require from controllers that want to transfer EU personal data to destinations outside the EU.  

The most probable scenario for the additions to the SCCs is that the revised SCCs will contain an additional representation from the data exporter that it has verified — and is satisfied — that the law of the third country of destination ensures adequate protection under EU law for the transferred data and that the level of protection required by EU law is respected in the country of destination. There also may be an additional requirement imposed on the data importer to assist the data exporter with making this determination, if so requested by the data exporter.

It is unlikely that the revised SCCs will go beyond these general requirements, especially since the CJEU made it clear that in issuing SCCs, the European Commission has no obligation to evaluate the level of data protection of the countries to which EU personal data could be transferred under the SCCs (paragraph 130 of the “Schrems II” decision). That difficult task is left to the data exporter that makes use of the SCCs and ultimately to the national supervisory authorities that are reminded they must suspend or prohibit transfers that do not offer the required level of protection.  

The revised SCCs are unlikely to contain details on how data exporters are expected to determine the adequacy of the country of destination. Many companies are working on so-called “transfer impact assessments,” which they hope to use for their current and future data transfers, in combination with the revised SCCs. Almost invariably, the data importer will be requested to assist in this exercise. Even then, many companies deplore they are placed in a position in which they are expected to become experts in third-country laws and hope for much-needed additional guidance from the national supervisory authorities or the European Data Protection Board.   

These TIAs may need to be updated if the law changes in the country of destination. Under the existing SCCs, the data importer is already required to inform the data exporter of such changes, when they have a substantial effect on the guarantees provided by the SCCs. The revised SCCs could make this clearer, perhaps by making this into a separate obligation of the data importer. 

The additions or revisions to the SCCs that are prompted by the coming into force of the GDPR are easier to predict, at least in the controller-to-processor SCCs. Article 28(3) of the GDPR states that any sharing of personal data by a controller with a processor requires a written contract with very specific provisions. These mandatory provisions go beyond what was required in a controller-processor relationship under the Directive. They also go beyond the provisions of the current C2P SCCs.

While Article 28(3) of the GDPR focusses on intra-community data sharing, many companies use the SCCs — and only the SCCs — when sharing data with processors located partly in the EU and partly outside of the EU or only outside of the EU. In both cases, some of the mandatory provisions of Article 28(3) of the GDPR are missing. This could be resolved by requiring companies to put in place a full-fledged Article 28(3) agreement on top of SCCs for those processors that are located outside of the EU. 

That could prove to be burdensome. It is, therefore, generally anticipated that the provisions in the revised SCCs for C2P transfers will resemble more closely the list of Article 28(3) of the GDPR requirements. This means adding certain provisions and obligations on the processor that are currently missing. Examples include an obligation for the processor and any person acting under its authority entrusted with the processing of personal data to maintain strict confidentiality, an obligation to render assistance when the controller needs to conduct a privacy impact assessment and requires information from the processor to do so, an obligation to provide timely notification to the controller in case of a personal data breach of which the processor has become aware, or obligations relating to data retention and deletion upon the termination of the processing relationship.

For many companies, these additional requirements in the C2P-revised SCCs will not be totally new as controllers have already started to add an extra annex to the current SCCs with precisely these additions. These controllers realized that the current SCCs are outdated and incomplete, and they took it upon themselves to add the missing provisions without waiting for the European Commission to take the initiative. Companies that have taken this extra step will need to see whether their own additions match the new C2P SCCs when these become available.

Many companies are also hopeful that the European Commission will use the opportunity to simplify the structure of SCCs, especially the controller-to-controller SCCs. Many have expressed confusion with regard to the Annex of the data protection principles, which places compliance obligations on the data importer.

Once the revised SCCs are out, companies will need to determine an appropriate method to put them in place for their inter-affiliate transfers and transfers to third parties. Existing transfers under the current SCCs will need to be reviewed in light of the “Schrems II” decision and the existing SCCs replaced or amended. 

The European Commission will issue a decision whereby it most likely will repeal the decisions adopting the current SCCs. On a previous occasion, more specifically the replacement of the 2002 SCCs for processors by the 2010 version, companies were given a three-month grace period to replace the old SCCs with the new SCCs. It is unclear whether the European Commission foresees a grace period in this instance. 

The 2010 decision does not address whether the replacement can be done by way of an annex to existing signed SCCs. The European Commission is likely to follow the same path with the current revision and leave it to the parties to determine the best way to implement the revisions. Much will depend on the extent of the revisions. If the revisions are limited to a few additional clauses, it may be possible to capture them in an annex that would supplement a set of SCCs that parties have put in place. If the revisions are throughout the text of the SCCs, a replacement of the entire SCCs seems appropriate.   

While there remains lots of uncertainty for companies engaged in international data transfers, it is clear they should focus on getting transfer impact assessments, however provisionally, underway and think through the best method to update or replace the SCCs they currently have in place. Companies should also update internal training materials to reflect the new realities imposed by the “Schrems II” decision.

Photo by Juliana Kozoski on Unsplash

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

Data Processing Agreements

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Jetty Tielemans IAPP Member Contributor
Tags
Europe
Privacy Law
Privacy Operations Management
Transborder Data Flow
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

Data Processing Agreements

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version

Related Stories
Tags
Europe
Privacy Law
Privacy Operations Management
Transborder Data Flow
Westin Research Center
Recent Comments