BRUSSELS -- Today, global tech trade association ITI submitted comments to the European Commission’s updated Standard Contract Clauses (SCCs) for transferring personal data to non-EU countries, welcoming the Commission’s focus on pursuing a risk-based approach as foreseen in the General Data Protection Regulation (GDPR).
“SCCs are a more critical tool than ever for international data transfers, especially since the invalidation of Privacy Shield in July,” said John Miller, ITI’s Senior Vice President of Policy, Trust, Data and Technology. “We welcome the European Commission’s work on updating the SCCs and fully endorse a continued risk-based approach to international data transfers. At the same time, it is critical that the Commission creates consistent and clear rules regarding third-countries’ government access to European data for law enforcement or national security purposes.”
Importantly, businesses large and small alike will be tasked with reworking contracts or potentially developing or activating alternative data and business continuity plans to adapt. To ensure companies have enough time to transition and adapt to the new SCCs, ITI recommends expanding the currently foreseen 12-month transition period to 24 months in is submission to the European Commission.
ITI also suggests clarifying obligations on data importers and exporters related to government requests, and better align the draft recommendations issued by the European Data Protection Board (EDPB), which diverge from the GDPR’s risk-based approach. ITI further asks the Commission to provide clearer guidance in form of an explanatory preamble or an FAQ document that can explain how controllers, processors and sub-processors should apply and use the SCCs in practice. Furthermore, ITI urges clarification in places where potential conflicts between the updated SCCs and the GDPR could arise.
ITI’s complete comments are available here.