Privacy & Information Security Law Blog

On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) hosted a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers (“SCCs”). More than 30 privacy leaders joined together to discuss the challenges of the current SCCs and provide their insights on the updated versions. Hunton partner David Dumont led the discussion, while CIPL President Bojana Bellamy illuminated CIPL’s work in this area. The session also featured Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers.

The seminar attracted a range of privacy professionals who responded to a quick survey regarding their preferred data transfer mechanisms and their experiences with SCCs. Key takeaways from this survey include:

• 77% of the participating companies rely on SCCs to legitimize data transfers outside of the European Economic Area, 14% of the participants transfer personal data based on the European Commission’s adequacy decisions (including the decision recognizing the EU-U.S. Privacy Shield framework as providing adequate protection), and only 9% have put in place Binding Corporate Rules.
• 52% of the participating companies have more than 100 SCCs in place, 39% have 10-100 SCCs in place, while 9% have less than 10 SCCs in place.
• Out of the three available sets of SCCs, the most frequently used set is the Controller-to-Processor SCCs , which 88% of the participating companies use. None of the participants use the 2001 Controller-to-Controller SCCs.
• It generally takes either up to three months or up to six months to execute SCCs.
• The participants’ biggest challenge in executing or maintaining SCCs was multiparty contractual scenarios and the qualification of the data importer as a data controller or data processor.
• 68% of the participants identified a need to incorporate the requirements of Article 28 of the EU General Data Protection Regulation into the Controller-to-Processor SCCs.
• When asked about new sets of SCCs, 84% of the participants identified the need to put in place Processor-to-Subprocessor SCCs.

The Seminar also highlighted the advantages of SCCs, such as (1) the absence of formalities vis-à-vis EU data protection authorities; (2) the possibility to transfer data to any non-EU country; (3) the application to both intra-group and external data flows; and (4) their effectiveness as a quick and readymade tool, especially appreciated by Small and Medium Enterprises. Participants mainly identified SCC disadvantages as due to (1) the absence of flexibility as SCCs cannot be modified; (2) the administrative burden that SCCs entail; (3) the non-application to specific data transfer scenarios, such as data transfers between a Processor-to-(Sub)Processor; and (4) the uncertain outcome of the Schrems II case, which is pending before the Court of Justice of the European Union. In that context, participants also discussed possible solutions to remedy these disadvantages.