News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why it is unlikely the announced supplemental SCCs will materialize Related reading: Can the new standard contractual clauses work for small business?

rss_feed

""

7, 12, 18

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers).

This announcement is a change in course for the EC. When the EC launched the 2021 SCCs this summer, Recital 7 stated they are unnecessary when the data processing by the data importer is already directly governed by GDPR. According to the EDPB meeting minutes, the EC will develop a set of additional SCCs specifically for these transfers, it can be inferred that the EDPB viewed the issue differently and that the EDPB considers such transfers still subject to the transfer rules (otherwise, no supplemental SCCs would be required for this situation).

Recital 7 reads:

“(…)  The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.”

Recital 7 has been the topic of debate ever since the 2021 SCCs were issued. At the time, it was anticipated the EDPB would have a different view than the EC. As recitals are not binding by nature,  commentators had already indicated that, notwithstanding Recital 7, companies in practice might end up ignoring Recital 7 and still enter into the SCCs when the data importer is directly subject to GDPR.

In a similar vein, companies are likely to continue to use the 2021 SCCs rather than wait for the announced supplemental SCCs. For starters, it will take time for these supplemental SCCs to materialize (if these ever will at all, which we doubt, see below). But it also becomes harder to ignore that the EDPB has now confirmed — albeit implicitly — they do view such transfers to data importers to require a transfer mechanism.

Background

The position of the EDPB that the transfer rules also apply where GDPR already governs the data importer is not surprising. It is the longstanding position of the EDPB and its predecessor, the WP29, that the transfer rules apply where factual transfers take place between the EU and non-EU countries, regardless of whether the non-EU data importer was already bound by GDPR. See also Kuner in “The GDPR, A Commentary,” see p. 758:

“The interaction between Article 3 and Chapter V (on data transfers) can result in situations where the GDPR applies to a non-EU controller or processor, and the data transfer mechanism must be used in order to transfer data to such parties. It is a pity that the proposals made in the GDPR legislative process to merge applicable law rules with those on trans-border data flows and produce a single provision dealing with the protection of personal data processed or transferred outside the EU were not adopted. The relationship between Article 3 and Chapter V has been the subject of discussions in the EDPB. However, as things now stand, Article 3 and Chapter V must be applied separately, and compliance with one does not remove the obligation to comply with the other when it is applicable.”

The position of the EDPB is further in line with the language of the GDPR, where Article 45 refers to transfers to countries that are considered not to provide an adequate level of protection. In other words, even if GDPR governs the relevant processing, the laws of the relevant country could prevent that despite the GDPR being applicable, an adequate level of protection could be ensured. In that sense, the SCCs do provide additional protection against, for example, powers to access data based on local law, e.g., by including notification obligations that are not provided for by GDPR.

Against this background, the inclusion of Recital 7 in the EC Implementing Decision of the new SCCs was surprising to say the least. If anything, it showed a lack of alignment between the EC and EDPB. In public seminars, EC representatives later clarified the recital was included because there was no clear position and agreement of the EDPB on the issue yet, and they considered the SCCs not to be the right mechanism to apply to these transfers as they do not provide added value. When the data importer is directly subject to the GDPR, many of the SCCs safeguards will already directly apply to the importer by virtue of the GDPR. Thus, it would be up to the EDPB to provide guidance on which transfer mechanism should be used instead.

Given the diversity of the opinions, we consider it unlikely the EC and EDPB will quickly see eye to eye on what the supplemental SCCs should look like. On one end of the spectrum, the EC considers the new SCCs superfluous and will likely consider them a very watered-down version of the existing modules as the GDPR already applies directly to the data importer. On the other end, we have the EDPB that will likely require the full scope of the requirements to be imposed by the new SCCs, already for the reason to facilitate contractual enforcement of important GDPR provisions by the data exporter. Whether you agree with this “doubling up” of requirements to ensure enforcement by both DPAs and the contract parties, this approach is already part of how the GDPR is designed. For example, where GDPR applies directly to processors, Article 28 GDPR still requires these requirements to be contractually agreed to by the controller with the processor. Arguments to the contrary were, at the time, dismissed for the added value of contractual enforcement. From this perspective, the 2021 SCCs with the various modules are completely suitable, making them the preferred default solution of the EDPB.

On a final note, we flag that both Recital 7 and the minutes of the EDPB meeting refer to where GDPR directly applies to the data importer based on Article 3(2). The issue at hand, however, emerges when the GDPR applies directly to the data importer based on Article 3(1) GDPR (where a non-EEA controller has establishments in the EU and the data is also processed in the context of the EU establishment).

Photo by Simone Secci on Unsplash

FAQs & Resources on 'Schrems II'

The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.

Click to View

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Authors
Headshot Lokke Moerel IAPP Member Contributor
Headshot Alex van der Wolk IAPP Member Contributor
Tags
Privacy Law
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment Wim Nauwelaerts • Nov 5, 2021 
    You reference to the EC's position in Recital 7 of Commission Implementing Decision (EU) 2021/914, but that same position is also reflected in Article 1 of the Decision. Recitals may not be binding by nature, but Article 1 of the Decision definitely is, wouldn't you agree?  In that case, simply "ignoring" the EC's position is not a valid option.
  • comment Robert Baugh • Nov 24, 2021 
    Thank you, great analysis. I'd go further than say the 3(2) SCCs may not arrive and say they should not, for a few reasons. 1. Imagine a US controller (say a CRM SaaS) caught by 3(2) because of online monitoring; they're caught only for the processing of the data in question for those activities, they're not covered for 100% of their processing (eg their own HR processing which is all US). If a corporate customer in the EEA then uses the US CRM (let's ignore Schrems), it transfers data as controller to the (here) US processor, and the US processor is not covered by GDPR for that under 3(2) for that processing. 2. Great note by you on Art 45, and Art 46(1) is equally clear. Chapter V says adequacy or Art 46 or 49, no mention of 3(2). 3. The EDPB Guidelines on transfers makes the right case that one simply looks at whether data goes from the EEA to outside the EEA. 4. In practice, I believe organisations look at this discussion as Privacy pros creating a technical Gordian knot for no practical reason; it gives GDPR a bad name and makes organisations throw up their hands in despair. We need to present simple solutions for organisations, not go down potential technical rabbit holes, we should instead fill them in. The EDPB Guidelines are good in that sense and the existing SCCs should do for any transfer.
Related Stories
The updated standard contractual clauses — A new hope?
5
And so, at last, they’re here. Met with a level of anticipation — and, it must be said, apprehension — equal only to the announcement of a new Star Wars film, the new European Union standard contractual clauses for “the transfer of personal data to third countries” (that’s international transfers, t...
Read More queue Save This
European Commission adopts new SCCs
The European Commission adopted two sets of standard contractual clauses. The new SCCs include a set for controllers and processors and another for transferring data to third countries. The SCCs are aligned with the EU General Data Protection Regulation and the Court of Justice of the European Union...
Read More queue Save This
EDPB, EDPS publish joint opinions on draft SCCs
The European Data Protection Board and European Data Protection Supervisor published their joint opinions on the European Commission's Implementing Decision on standard contractual clauses. The opinions cover the SCCs between controllers and processors and the transfer of data to third countries. Th...
Read More queue Save This
FAQs & Resources on 'Schrems II'

The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.

Click to View

Members of the Privacy Bar Section of the International Association of Privacy Professionals have come together to produce this collective work, designed to assist newer and veteran practitioners alike to better understand the particulars of drafting and negotiating data processing agreements.

Print version | Digital version

Related Stories
Tags
Privacy Law
Transborder Data Flow
Recent Comments