Shift from a territory-based to jurisdiction-based approach to international data transfers.
The European Commission’s draft decision implementing renewed SCCs (‘draft’) seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to ‘the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679’.
There are at least two (maybe more?) conceivable implications of the above:
1) the #GDPR data transfer rules will not be applicable where data is transferred from a EU-based company to a non-EU based company subject to the GDPR pursuant to Article 3(2).
2) if a non-EU based company subject to the GDPR pursuant to Article 3(2) transfers data to another non-EU based company not subject to the GDPR – then this is considered international data transfers which triggers the applicability of the GDPR International data transfer rules (so, such companies may choose to enter into #SCC as a safeguard for such transfer).
Interestingly, the first sentence of the Recital 7 of the draft contradicts to this new thinking and still reproduces a traditional territory-based approach.