International data transfers for Data Importers subject to the EU GDPR: EU Standard Contractual Clauses – Second Wave

This article was co-authored by Trainee Solicitor Joshua Curzon.

The EU Commission has announced a consultation on a new set of Standard Contractual Clauses (SCCs) which will exist alongside the 2021 SCCs adopted in 2021. International organisations will need to consider whether the data importer is directly subject to the GDPR, and apply these new SCCs, or whether the data importer is not subject to the GDPR and apply the 2021 SCCs.

The extraterritorial application of Article 3.2 of the GDPR to organisations based in third countries remains one of the most debated and complex issues regarding international data transfers. It requires non-EEA entities to comply with Chapter V of the GDPR and implement proper data transfer mechanisms, such as SCCs. Following the landmark Schrems II decision, the European Commission (Commission) introduced new SCCs in 2021, designed for third-country data importers not subject to the GDPR. However, these SCCs do not apply when the data importer is already covered by Article 3.2 of the GDPR.

Regulatory timeline

In its Guidelines 05/2021[1], the European Data Protection Board (EDPB) clarified the interplay between Article 3 (which addresses the extraterritorial scope of the GDPR) and Chapter V of the GDPR. The EDPB recognised that data transfers to third countries still trigger Chapter V of the GDPR, even if the data importer in the third country is already subject to the GDPR under Article 3.2. The EDPB called on the Commission to develop a new set of SCCs to address scenarios where both the data exporter and the data importer are subject to the GDPR.

In March 2022, the Commission confirmed via its Frequently Asked Questions that the 2021 SCCs were designed for data importers outside the scope of the EU GDPR. For importers directly subject to Article 3.2, the 2021 SCCs “would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR” [2] . As a result, the Commission began working on an additional set of SCCs.

The process for these new SCCs moved slowly until September 2024, when the Commission announced a consultation for Q4 2024, with the aim to adopt the new SCCs in Q2 2025. These SCCs will address transfers to third-country controllers and processors already subject to the GDPR.

The Commission is well aware that organisations have faced significant challenges adapting to the post-Schrems II landscape and the adoption of the 2021 SCCs. The upcoming consultation will allow both public and private entities to share their concerns and help shape the new SCCs.

What to expect from the new EU SCCs

The new SCCs are expected to be a simplified version of the current ones, focusing on risks specific to third-country transfers, such as conflicting local laws (e.g., excessive government access to data) and difficulties in obtaining legal redress outside the EU. Unlike the existing SCCs, these will likely not require a transfer impact assessment, which would ease the burden on organisations. It is likely that the EDPB will produce guidelines in relation to the new SCCs.

It is anticipated that organisations will be given a transition period of one to two years to implement the new SCCs.

For third-country organisations importing or exporting personal data from the EU, this means revisiting existing SCCs to determine which transfers must be conducted under the new SCCs. It will be necessary to determine whether the data importer is directly subject to the GDPR (or not) in order to apply the correct set of SCCs. While the new SCCs aim to simplify compliance, they will add another layer of complexity to the already challenging framework for international data transfers.

New SCCs: New challenge for extraterritorial application

The new SCCs are likely to reignite questions about the enforceability of the GDPR’s extraterritorial application.

While Article 3.2 gives the GDPR a clear legal scope beyond the EU, practical enforcement is much more complicated. Enforcing GDPR fines or requirements in non-EU jurisdictions may require the cooperation of non-EU governments or local courts, such as the U.S., China, or Russia, and involve navigating conflicts between local data protection laws and EU standards.

The recent Uber case, discussed below, is one of the few instances where a EU-based entity has faced enforcement for failing to comply with Chapter V requirements when transferring data to a parent company in the U.S. which is subject to the GDPR.

A case to watch: Dutch DPA's fine on Uber [3]  

The timing of the Commission’s announcement on the new SCCs may not be coincidental. On 26 August 2024, the Dutch Data Protection Authority (DPA) imposed a €290 million fine on Uber for failing to put in place appropriate safeguards for intra-group transfers of data to the U.S., a third country, as required under Chapter V of the GDPR. A complaint from the CNIL (the French DPA) raised concerns that sensitive data belonging to EU drivers was inadequately protected due to the absence of SCCs.

Uber argued that SCCs were unnecessary because Uber Inc. in the U.S. was already subject to Article 3.2, implying that Chapter V should not apply. Uber further cited the 2021 SCCs’ recitals and previous public statements by the Commission to support this view. Despite these arguments, the Dutch DPA dismissed them, creating tension with official guidance and demonstrating the importance of implementing SCCs or other appropriate safeguards, even for organisations subject to Article 3.2.

This case acts as a cautionary tale for non-EEA companies that frequently transfer data to third countries. It highlights the importance of implementing the appropriate legal instruments (like SCCs or Binding Corporate Rules) to ensure compliance with the GDPR’s extraterritorial requirements.

The new SCCs expected in 2025 will likely clarify these obligations, helping third-country organisations navigate international data transfers while remaining compliant with the GDPR.

We will continue to monitor developments and report back as the consultation progresses later this year.

 

[1] https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en
[2] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en
[3] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

Related items

Read other items in London Market Brief - September 2024