Modernising GDPR toolbox for international data transfers
The Commission wants to ensure high level of protection to the personal informationEuropost , Brussels
The Commission has published two sets of draft model data protection clauses to launch the process to revise the existing Standard Contractual Clauses. These clauses are the most commonly used tool for international data transfers, including for transatlantic data flows.
The General Data Protection Regulation (GDPR) provides a broad toolbox for international data transfers and standard clauses that companies can use.
The modernised clauses will assist companies with their efforts to comply with the GDPR requirements. For its work on modernising the Standard Contractual Clauses, the Commission has also taken into account the guidance from the Schrems II judgment. It concerns Austrian national Maximillian Schrems, a Facebook user since 2008, whose personal data was transferred by Facebook Ireland to servers belonging to Facebook Inc., located in the United States, where it undergoes processing. Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that “the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country”.
Saying that international data flows are a life-blood of a modern economy, Vice-President for Values and Transparency, Věra Jourová, commented that with the updated tool, the Commission wants to ensure the high level of protection to our personal data regardless where they are and when they travel. We also want to help businesses with their compliance efforts, she added.
Didier Reynders, Commissioner for Justice, noted that the Commission did not start from scratch after the Schrems II judgment. We were already working intensively to modernise the existing Standard Contractual Clauses, ensuring they correspond to modern business realities, he explained.
The publication of the draft model data protection clauses - one on standard contractual clauses between controllers and processors located in the EU, and the other on the transfer of personal data to third countries - is the beginning of a process towards their adoption. The draft clauses have been sent to the European Data Protection Board and the European Data Protection Supervisor for their opinion.
After taking these opinions into account, as well as the outcome of the four-week public consultation, the final clauses will be adopted by the Commission, after having obtained the green light from Member States’ representatives in the so-called comitology procedure. The updated clauses will be complemented by the guidance prepared by the European Data Protection Board.