Shift from a territory-based to jurisdiction-based approach to international data transfers.

Shift from a territory-based to jurisdiction-based approach to international data transfers.

The European Commission’s draft decision implementing renewed SCCs (‘draft’) seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to ‘the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679’.

There are at least two (maybe more?) conceivable implications of the above:

1) the #GDPR data transfer rules will not be applicable where data is transferred from a EU-based company to a non-EU based company subject to the GDPR pursuant to Article 3(2).

2) if a non-EU based company subject to the GDPR pursuant to Article 3(2) transfers data to another non-EU based company not subject to the GDPR – then this is considered international data transfers which triggers the applicability of the GDPR International data transfer rules (so, such companies may choose to enter into #SCC as a safeguard for such transfer).

Interestingly, the first sentence of the Recital 7 of the draft contradicts to this new thinking and still reproduces a traditional territory-based approach.

Leave a Reply

Your email address will not be published.