We have been expecting this news for a while, but last week it was finally confirmed that the validity of the Standard Contractual Clauses (SCCs) is to be reviewed by the Court of Justice of the European Union (CJEU).
The SCCs are one of the mechanisms available under the Data Protection Act 1998 (DPA) to validly transfer personal data outside the EEA, and are widely used by businesses. The General Data Protection Regulation 2016 (GDPR), which will replace the DPA from 25th May next year, also permits transfers of personal data outside the EEA where parties enter into the SCCs.
The future of the SCCs has been under threat since Max Schrems made his successful challenge to the validity of the Safe Harbour (a mechanism that facilitated the transfer of personal data between the EU and USA), on the basis that the Safe Harbour did not ensure an adequate level of protection for the personal data of EU data subjects.
The Safe Harbour has since been replaced by the Privacy Shield. However, to overcome the demise of the Safe Harbour, many businesses (including Facebook) have switched to using the SCCs to enable them to continue to transfer their customers’ personal data to the USA. This, inevitably, brought the validity of the SCCs into the spotlight…
What does this development mean for businesses?
Essentially, businesses that currently use the SCCs to ensure compliance with the DPA when transferring personal data outside the EEA may need to change their practices (for example, by using Binding Corporate Rules as the basis for inter-group transfers or even by requiring that the recipients of such personal data establish a base within the EEA). The level of fines that will apply to breaches of the GDPR when it comes into force next year, as well as the fact that the provisions relating to transfers of personal data outside the EEA will apply to data processors in addition to data controllers, mean that this is an issue that will need to be given serious attention by businesses.
It’s likely, however, that the CJEU will take at least a year to come to its decision, so there’s no requirement for immediate action. That said, we would recommend that businesses start to give some thought to how they might be able to make changes to their current arrangements should the CJEU rule that the SCCs are invalid.
If you would like any further information about the issues concerned in this update, please contact a member of our Information Law Team or Commercial Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>