Following the adoption of the revised set of Standard Contractual Clauses (“SCC”) under the GDPR by the European Commission (EC) and the Recommendations on measures that supplement data transfer tools by the European Data Protection Board (EDPB), a new set of SCCs as well as relevant EDPB guidance are to be expected in relation to data transfers to non-EU data importers, as discussed in the 54th Plenary Meeting of the EDPB.
The revised SCC can be relied upon as a data transfer mechanism on condition that the processing in the third country by the recipient (data importer according to the SCC terminology) is not subject to the GDPR (recital 7), creating thus a great deal of uncertainty as to the appropriate way to handle cross border data transfers in the event that the data importer is located in a third country but is caught by the extraterritorial reach of the GDPR pursuant to Article 3 (2) GDPR. In acknowledgement of this regulatory gap, the EDPB proclaims that it will commence drafting guidelines on the interplay between Article 3 and Chapter V GDPR, while the EC will develop specific SCCs intended to capture transfers from data exporters in the EEA to data importers in third countries within GDPR’s ambit.
The new developments are awaited with much anticipation as they will shed light into the interplay between the GDPR’s extraterritorial reach and data transfer restrictions. Companies already in the process of updating their contracts to incorporate the new SCCs will have to stand ready to adjust also to this new set of SCCs expected in the near future.