The release of new standard contractual clauses (SCC) for safeguarding personal data being transferred out of the EU did not come as a surprise in data protection circles, but it certainly will be a lot of work to read through the documents and renegotiate current contracts with customers and suppliers.
Confusion
One of the main points of confusion was whether the new SCC would apply to companies within the EU with a non-EU parent or subsidiary. But it seems that as the processing the US organization does with any exported personal data is almost certainly ‘being carried out in the context of its activities of its establishment in the EU’ - the GDPR is applicable and the data export counts as an international transfer. This necessitates SCC or another transfer mechanism to safeguard the data, and possibly a further assessment of the risks involved and take supplementary measures to protect the data further.
Timeline
This is the timeline privacy pros need to take into account for implementing the new SCC:
Don’t forget: Supplementary measures
The news comes as the European data protection supervisor (EDPS) released a report examining data transfer case law, and the European data protection board (EDPB) will focus recommendations on supplementary measures in next plenary session. These measures have been widely regarded as far-reaching: an example of one such measure would be client-side encryption. This would give customers control of encryption keys and make customer data indecipherable. On the flipside, this also makes any processing of such data (near) impossible, while such processing by suppliers is oftentimes the goal.
Surprisingly, Google, which a lot of organisations use for either email or other business functions, has released news that they’re enabling client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Currently, only documents (and the personal data contained in them) can be encrypted. Support for Google Meet is coming in the fall.