Maybe you don't need the SCC?

Such transfers to countries outside the EEA require a specified level of data protection in the recipient country. Many have been concerned about whether the new SCC now allows for a risk-based approach to what should be considered an adequate level of data protection. There are many indications that this is the case, but this will soon be elaborated on by the EDPB, which is expected to come up with new guidelines for the transfer of personal data. The EDPB has a meeting tomorrow and this is something they have on the agenda.

At the same time, there is another, very important aspect of the new SCC, which has not yet received much attention in Norway. It is conceivable that one does not need an SCC for the transfer of personal data to third countries at all. If so, much of the discussion about the legal use of cloud services would have to be completely different.

The background is that when the EU decided on the new SCC, it did so through a so‑called "Implementing decision" from the Commission. Such a decision has a number of "recitals", which say something about how the SCC should be understood. In recital 7, the EU emphasizes that the SCC can only be used if the processing in the third country is not subject to the GDPR. The wording is as follows:

«... The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of the Regulation (EU) 2016/679.»

Or to put it another way: if the one processing the information in the third country is subject to the GDPR, then the SCC cannot be used. In fact, a standard data processor agreement is sufficient.

The reason is that the relevant information is already "protected" as the provisions of the GDPR must be respected. At the same time, the GDPR has to a very large extent a so‑called extraterritorial effect. Article 3 stipulates that the processing of personal data about Europeans must comply with the GDPR, regardless of whether the processing takes place within the EU or not. The same applies if a player outside the EU offers services to Europeans.

This has major consequences. In most scenarios where a European data controller transfers personal data to a non-European data processor, the SCC will then not be able to be used. A very simple example is that a Norwegian online store will use a subcontractor in the USA for communication with its customers and operation of the websites. Due to Article 3 of the GDPR, all the processing for which the online store is responsible will be subject to the provisions of the GDPR. And an SCC is not needed for the transfer.

However, Recital 7 does not stop there. It continues as follows:

«This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation ..»

This means that because the US data processor's processing is subject to the GDPR, the SCC must be used for any further transfers from the US company to a new third party that is not within the EU's borders. An example might be that the US company offers a feature that allows customers to store their card information until the next time they buy something, and that information is stored in servers operated by another US company.

Such a restrictive use of the SCC does not immediately appear logical when previous SCCs have just been used for transfers to countries outside the EEA. In many ways, it is almost difficult to believe that the EU has meant that the use of SCCs should be so limited. The wording and understanding are not uncontroversial and have led to extensive discussion among data protection experts. The prevailing view is that this must be further clarified by the EU. It is also said that the Directorate-General for Justice and Consumers will soon provide a clarification of how this was intended, as well as a number of other unresolved issues. It is also necessary to clarify whether the parties in an SCC can agree on deviating provisions on exemption from liability – this is also not clearly clarified in the wording.

If recital 7 is to be taken quite literally, it will be a complicated future where companies that send personal data back and forth across national borders must have control over which of their subcontractors are subject to the GDPR and which are not. It is no exaggeration to say that it will be exciting to see how this develops in the future. These are exciting times for data protection and it is really to be hoped that the EU now simplifies the legal framework and does not complicate it even further.