The Schrems II decision of the Court of Justice of the European Union (CJEU) from July 2020 has raised several questions in relation to data transfers from the EU to third countries based on standard contractual clauses (SCCs). In particular, the CJEU has requested that data exporters implement “supplementary measures” if the data importer is not able to comply with its obligations under the SCCs considering applicable local laws.
In response to the Schrems II decision, the EU Commission finally adopted new and updated SCCs in June 2021. However, aside from the predominant questions in relation to Schrems II, the recitals of the SCCs raised new questions for European data exporters, especially which types of processing activities are considered a ‘transfer’ and in which scenarios data exporters are required to conclude SCCs.
Guidelines on the interplay between Article 3 and Chapter V of the GDPR
According to the minutes of the EPDB’s 54th plenary meeting, the EDPB intends to finalise new guidelines on the interplay between the GDPR provisions on the territorial scope (Article 3 GDPR) and the provisions on transfers of personal data to third countries (Chapter V of the GDPR) soon. The EDPB members have also discussed the interpretation of the term ‘transfer’, which is not legally defined in the GDPR. The guidelines that are currently being drafted are supposed to contain a definition of ‘transfer’ with clear prerequisites, and include practical examples that will hopefully provide clarity.
European Commission to adopt new set of EU standard contractual clauses
The minutes of the EDPB’s 54th plenary meeting also reveal that the EU Commission will develop a new set of SCCs following the adoption of the above-mentioned EDPB guidelines. The new set should be seen as the Commission's response to questions relating to recital 7 of the SCCs.
According to sentences two and three of the recital, the SCCs may only be used “to the extent that the processing by the importer does not fall within the scope of the GDPR”. This shall also include data transfers of controllers or processors not established in the EU “to the extent that the processing is subject to [the GDPR] […] pursuant to Article 3(2) thereof”.
Hence, the new set of SCCs will apply to transfers to those data importers established outside of the EU that are subject to the GDPR under Article 3(2) by offering goods or services to data subjects in the EU or monitoring their behaviour as far as it takes place in the EU. It is likely that this new set of SCCs will be less extensive than the current set because these data importers are already bound by the GDPR. The crucial provisions of the new set of SCCs will probably deal with public authority access requests in accordance with Section III (clauses 14 and 15) of the current set of SCCs.
Adequacy decision for South Korea expected soon
On 16 June 2021, the EU Commission launched the process to adopt the adequacy decision for South Korea, which was intended to supplement the “EU-Republic of Korea Free Trade Agreement”. The Commission concluded that South Korea's legal data protection framework ensures a level of data protection that is equivalent to that of the GDPR.
According to the minutes of the EDPB’s 55th plenary meeting from last September, the members of the EDPB revised some provisions of the Commission's draft of an adequacy decision for South Korea regarding South Korean privacy laws especially with regard to the South Korean privacy regulator and its powers.
The EDPB approved the EU Commission's draft adequacy decision for South Korea, which include the changes from the meeting. The Commission is now expected to adopt and issue the adequacy decision in a timely manner.