Data Protection Update – CJEU to consider the validity of the standard contractual clauses

9th October 2017
Derby Office Icon

 

We have been expecting this news for a while, but last week it was finally confirmed that the validity of the Standard Contractual Clauses (SCCs) is to be reviewed by the Court of Justice of the European Union (CJEU).

The SCCs are one of the mechanisms available under the Data Protection Act 1998 (DPA) to validly transfer personal data outside the EEA, and are widely used by businesses. The General Data Protection Regulation 2016 (GDPR), which will replace the DPA from 25th May next year, also permits transfers of personal data outside the EEA where parties enter into the SCCs.

The future of the SCCs has been under threat since Max Schrems made his successful challenge to the validity of the Safe Harbour (a mechanism that facilitated the transfer of personal data between the EU and USA), on the basis that the Safe Harbour did not ensure an adequate level of protection for the personal data of EU data subjects.

The Safe Harbour has since been replaced by the Privacy Shield. However, to overcome the demise of the Safe Harbour, many businesses (including Facebook) have switched to using the SCCs to enable them to continue to transfer their customers’ personal data to the USA. This, inevitably, brought the validity of the SCCs into the spotlight…

What does this development mean for businesses?

 

Essentially, businesses that currently use the SCCs to ensure compliance with the DPA when transferring personal data outside the EEA may need to change their practices (for example, by using Binding Corporate Rules as the basis for inter-group transfers or even by requiring that the recipients of such personal data establish a base within the EEA). The level of fines that will apply to breaches of the GDPR when it comes into force next year, as well as the fact that the provisions relating to transfers of personal data outside the EEA will apply to data processors in addition to data controllers, mean that this is an issue that will need to be given serious attention by businesses.

It’s likely, however, that the CJEU will take at least a year to come to its decision, so there’s no requirement for immediate action. That said, we would recommend that businesses start to give some thought to how they might be able to make changes to their current arrangements should the CJEU rule that the SCCs are invalid.

If you would like any further information about the issues concerned in this update, please contact a member of our Information Law Team or Commercial Law Team.

RELATED:INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>


MORE FROM THE ADVICE CENTRE

Blogs

Cyber-Security Issues & Increased Obligations under the GDPR
15/02/2017
The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.
more...

Publications

Geldards Guide to General Data Protection Regulations (GDPR)
27/01/2017
The General Data Protection Regulation (‘GDPR’) is the new EU data protection framework replacing the current Data Protection Directive implemented in the UK by the Data Protection Act 1998.
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

SOLICITOR

Camille French-Williams

CAMILLE FRENCH-WILLIAMS

Solicitor, Cardiff

+44 (0)29 2038 6522
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...

PROFESSIONAL SUPPORT LAWYER

Helen Snow

HELEN SNOW

Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497
email
more...