The release of new standard contractual clauses (SCC) for safeguarding personal data being transferred out of the EU did not come as a surprise in data protection circles, but it certainly will be a lot of work to read through the documents and renegotiate current contracts with customers and suppliers.
One of the main points of confusion was whether the new SCC would apply to companies within the EU with a non-EU parent or subsidiary. But it seems that as the processing the US organization does with any exported personal data is almost certainly ‘being carried out in the context of its activities of its establishment in the EU’ - the GDPR is applicable and the data export counts as an international transfer. This necessitates SCC or another transfer mechanism to safeguard the data, and possibly a further assessment of the risks involved and take supplementary measures to protect the data further.
This is the timeline privacy pros need to take into account for implementing the new SCC:
- June 27 - the decision takes effect, which means any organization that wants to use the new clauses for a new data transfer can do so at that time.
- Sept. 27 - Organizations can continue using old clauses for new transfers until this date, but all new transfers will require the new clauses to be in place from that date forward.
Bird & Bird International Data Protection and Practice Partner and Co-head Ruth Boardman suggests using the old clauses for new transfers until this time:
"If you ask [a processor] to sign the new SCC they will be including in that a commitment that sub-processors have given substantially similar commitments to them, so that three-month period is actually really helpful because it allows people to sort out their supply chains."
- Dec. 22, 2022 - The final date to keep in mind, which is the deadline for old clauses to be fully replaced.
Don’t forget: Supplementary measures
The news comes as the European data protection supervisor (EDPS) released a report examining data transfer case law, and the European data protection board (EDPB) will focus recommendations on supplementary measures in next plenary session. These measures have been widely regarded as far-reaching: an example of one such measure would be client-side encryption. This would give customers control of encryption keys and make customer data indecipherable. On the flipside, this also makes any processing of such data (near) impossible, while such processing by suppliers is oftentimes the goal.
Surprisingly, Google, which a lot of organisations use for either email or other business functions, has released news that they’re enabling client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Currently, only documents (and the personal data contained in them) can be encrypted. Support for Google Meet is coming in the fall.