Confusion about data transfers after European Commission’s sleight of hand
When publishing the new Standard Contractual Clauses the European Commission (hereafter: Commission) did something remarkable. The Standard Contractual Clauses (SCCs) are meant to enable the transfer of personal data from the European Union (EU), Norway, Iceland, and Liechtenstein (European Economic Area, EEA), to a country outside the EEA that does not guarantee an adequate level of protection to the data. By agreeing on additional safeguards, the exporter and importer can still process the data safely in the recipient country. The Commission has now unexpectedly changed the definition of international transfers. It is no longer the case that every transfer of personal data to a system outside the EU/EEA is qualified as an international transfer. Rather, a transfer only qualifies as an international transfer if the personal data will no longer be directly protected by the GDPR in the recipient (third) country. The Commission states that organisations may only use the SCCs if the GDPR does not already apply to the importer in the third country anyway.
