A global think tank has published a list of recommendations to the European Commission for updating standard contractual clauses, or SCCs, for international transfers.
In a white paper published last week, the Centre for Information Policy Leadership (CIPL), a global privacy and security think tank with offices in Washington D.C., London, and Brussels, dug into some of the issues that companies can face while transferring personal data. CIPL broke down how many of the issues can be remedied if they were better aligned with the EU’s General Data Protection Regulation (GDPR).
The European Commission has said previously that it plans to update the existing standard contractual clauses for the GDPR but that it was looking for input from organizations to feed into its actions; last week’s white paper serves as CIPL’s input.
CIPL, which is part of a law firm that specializes in privacy and data security, Hunton Andrews Kurth, points out that SCCs aren't going anywhere and will more than likely be the "preferred mechanism for companies in a post-Brexit world to ensure continuity of existing data flows to the United Kingdom."
SCCs, standard sets of contractual terms and conditions that the sender and the receiver of personal data both agree to, are commonly used by companies that transfer data outside of the European Economic Area to comply with Article 46 ("Appropriate Safeguards") of the GDPR. The European Commission has issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU and one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU.
The think tank is urging the European Commission to do a number of things when it comes to SCCs, namely to clarify the relationship between adequacy decisions and SCCs, provide guidance to reassure the market that SCCs are and will remain valid, and to assist organizations in better understanding when SCCs are required and can be interpreted.
The think tank closes out the document (.PDF) with a handful of additional recommendations for the EC, including:
- The Commission should provide for a grandfather clause enabling the current contracts to remain valid under the GDPR or, at minimum, enable organizations to prioritize the uptake of the new SCC template on the basis of the following criteria
- CIPL recommends that the updated version of the SCC is aligned with the wording of article 30 GDPR to facilitate the filling-out of the appendices.
- In line with article 28 of the GDPR, importers must be permitted to engage subprocessors under a general authorization of the exporter.
- Importers should be enabled to enter into one single set of SCC in a P to P relationship when they are processing personal data and acting on behalf of different controllers.
- The Commission should consider guidance to identify the security standards that are acceptable and address how this list would be updated if new standards are deemed appropriate in the future, without the need to re-execute the SCC.
- With respect to audits, the Commission should also provide that it is an acceptable modification of the SCC for providers to mandate an accredited third party to conduct a regular audit of their data processing facilities and provide the certificate to the data exporter and supervisory authorities on request.
CIPL is also encouraging the Commission to improve how SCCs are formatted. An ideal format, CIPL claims, would be if there were one single electronic template with a drop-down menu covered possible situations that organizations can choose from. CIPL is also urging the Commission to receive feedback from organizations in real time and update the template accordingly.
