Monthly Archives: September 2024

EU Standard Contractual Clauses – Public Consultation

This month (September 2024), the European Commission has announced that it plans to ask for public feedback on the EU Standard Contractual Clauses (SCCs) under the General Data Protection Regulation. The public consultation will take place in the fourth quarter of 2024, giving you an opportunity to have your views and opinions heard.

This is not unexpected – the GDPR’s Article 97, requires the Commission to review the GDPR’s implementation every four years (see the 2020 Evaluation Report here).  The upcoming 2024 review was expected to include an evaluation of the practical application of the SCCs.

New SCCs in 2025

According to the timeline, the public consultation is imminent and due to take place in the 4th quarter of 2024. This would be followed by a draft act, planned for Commission adoption in 2nd quarter of 2025.  You can find more information and a timeline here.

What are SCCs?

Standard contractual clauses are standardised, pre-approved model data protection clauses, which allow controllers and processors to meet their obligations under EU and / or UK data protection law. 

They are widely used as a tool for data transfers to third countries (which means those countries outside the EEA or the  UK who do not have adequacy status).  It is quite a simple matter for controllers and processors to incorporate them into their contractual arrangements.

The clauses contain data protection safeguards to make sure that personal data benefits from a high level of protection even when sent to a third country.  By adhering to the SCCs, data importers are contractually committed to abide by a set of data protection safeguards.

Can I change the text?

The core text can not be changed. If parties do change the text themselves, they will no longer have the legal certainty offered by the EU act.  If you amend the clauses, then they can no longer be used as a basis for data transfers to third countries, unless they are approved by a national data protection authority as “ad hoc clauses”

Even so, there are areas where the parties can make choices:

  • To select modules and / or specific options offered within the text
  • To complete the text where necessary (eg to specify time periods, supervisory authority and competent courts
  • To complete the Annexes
  • To include additional safeguards that increase the level of protection for the data. 

Impact on UK use of SCCs

There is not yet any indication of the potential impact on the UK’s international data transfer Agreement (IDTA) or the Addendum to the EU’s SCCs; we would expect to hear more after the EU’s public consultation.

Victoria Tuffill – 13th September 2024

If you have any questions or concerns about how and when to use SCCs, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.

Massive €290 Million Uber fine for EU-US data transfers

Last week the Dutch Data Protection Authority fined Uber a massive €290 million for transferring personal data from EU to US servers without adequate protections. This is a massive fine – one of the largest seen to date under GDPR.

According to the Dutch DPA, Uber collected sensitive information (eg account details, taxi licenses, location data, photos, identity documents and some criminal and medial data) from its EU drivers and stored it on servers in the US without protective transfer tools for 2 years. There were 170 complaints from French drivers (French complaints, but the Dutch DPA issued the fines as Uber’s European Office is in the Netherlands).

When did the breach happen?

The two-year period spanned the time that the Privacy Shield was invalidated, and the Data Privacy Framework came into force. According to the DPA, Uber stopped using SCCs in August 2021, so it found that the data of EU drivers had not been protected adequately. Of course, now that the Data Privacy Framework is in force, there is no ongoing breach.

How could it have been avoided?

Uber could have used Standard Contractual Clauses to transfer its personal data to the US.

What does this mean for others?

This gives an indication of how significant data transfer mechanisms and risk assessments are. Uber intends to appeal the fine and the outcome of the appeal will be of interest to many businesses. The 2020 EU Court ruling that invalidated Privacy Shield really left a great deal of legal uncertainty over how to continue the data flows that were already in place. There was also very limited help or guidance after the invalidation of Privacy Shield. And it took until 2023 – that’s three years – for the Data Privacy Framework to be established. There will be many companies who would have been slow to – or failed to – build Standard Contractual Clauses into their contracts, and who will be concerned about the nature of this retroactive fine.

Victoria Tuffill –2nd September 2024

If you have any questions or concerns about data protection, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.