The key data regulators that oversee the European Union’s strict privacy regulation on Friday agreed to a beefed up set of contractual terms and conditions to provide more clarity about the level of protection data transfers to countries outside the EU can enjoy.
Since Europe’s top court in July scrapped the Privacy Shield and called into question the adequacy of the other two favored mechanisms to transfer personal data between the European Union and United States—standard contractual clauses (SCCs) and binding corporate rules—companies have been pushing for clarity about how they can continue to send data safely without fear of breaching the General Data Protection Regulation (GDPR).
While the European Commission and its counterparts in the United States have indicated any replacement mechanism is at least months away, the European Data Protection Supervisor and European Data Protection Board (EDPB) announced draft revisions to SCCs that should clarify the level of protection they can give to those companies controlling and processing data.
The EDPB said the draft SCCs for the transfer of personal data to third countries will replace those currently in use, bringing them in line with GDPR requirements and taking into account the concerns of the “Schrems II” judgment from July.
In its judgement, the Court of Justice of the European Union pulled the plug on the Privacy Shield with immediate effect over fears U.S. snooping laws could force companies to hand over EU citizens’ data easily and without consent—violating the protections they would expect under EU rules.
Although the new SCCs will not provide 100 percent protection, they include more specific safeguards should the laws of a destination country allow public authorities and criminal agencies to issue companies with binding requests to disclose personal data.
“Given our practical experience, we have made these comments to improve these SCCs with a view to fully ensure that personal data of EU citizens is afforded an essentially equivalent level of protection when transfers to third countries take place,” said Wojciech Wiewiórowski, the European Data Protection Supervisor, in a press release. “We believe these suggestions and amendments are crucial in order to achieve these aims in practice.”
The EDPB adds companies should also follow its list of “supplementary measures” published last November to better ensure data transfers to third countries are compliant with the GDPR. One of these “safety” measures is for companies to suspend or prohibit any data transfer if equivalent protection is not guaranteed.