Standard Contractual Clauses (SCCs) are an essential tool that enables the transfer of personal data from the European Union (EU) to non-EU countries, while providing adequate safeguards for the rights and freedoms of data subjects. In essence, SCCs are legal instruments that define the contractual terms that entities rely on when transferring personal data across borders.

The importance of SCCs was highlighted in the recent landmark decision of the Court of Justice of the European Union (CJEU) in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Schrems II). The CJEU invalidated the EU-US Privacy Shield, a framework that allowed certified US entities to process personal data of EU citizens, citing concerns over US surveillance practices, and inadequate protection of EU citizen`s data privacy rights. The decision left SCCs as the primary legal tool for transferring personal data outside the EU.

The Information Commissioner`s Office (ICO) has been at the forefront of providing guidance to organisations on the use of SCCs since the Schrems II decision. The ICO published guidance on international data transfers in the aftermath of the decision, highlighting the need for organisations to undertake a risk assessment of the data transfer, and identify additional measures to mitigate the risks. The guidance recognised that SCCs may not provide sufficient safeguards in some situations, and additional technical or contractual measures may be necessary.

The ICO`s guidance emphasised the importance of due diligence on the recipient of the data, including the recipient`s legal system, and the nature of the data being transferred. It suggested that organisations consider the use of encryption, pseudonymisation, and other technical measures to protect the transferred data. The ICO recommended that organisations document their assessments and measures taken to demonstrate accountability.

Organisations must also ensure that SCCs are used appropriately. SCCs are not a “one size fits all” solution and must be tailored to the specific circumstances and risks of the data transfer. The ICO acknowledges that some data controllers may need to use bespoke clauses in addition to, or instead of, SCCs, to provide adequate protection for personal data.

In summary, SCCs are an essential tool for transferring personal data outside the EU, but they are not a panacea. Organisations need to undertake due diligence on the recipient and consider additional measures to mitigate risks. SCCs may not be suitable in all circumstances, and bespoke clauses may be necessary. The ICO`s guidance on international data transfers provides a valuable roadmap for organisations navigating these complex issues.

Related Post