Shift from a territory-based to jurisdiction-based approach to international data transfers.


Shift from a territory-based to jurisdiction-based approach to international data transfers.

The European Commission’s draft decision implementing renewed SCCs (‘draft’) seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to ‘the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679’.

There are at least two (maybe more?) conceivable implications of the above:

1) the #GDPR data transfer rules will not be applicable where data is transferred from a EU-based company to a non-EU based company subject to the GDPR pursuant to Article 3(2).

2) if a non-EU based company subject to the GDPR pursuant to Article 3(2) transfers data to another non-EU based company not subject to the GDPR – then this is considered international data transfers which triggers the applicability of the GDPR International data transfer rules (so, such companies may choose to enter into #SCC as a safeguard for such transfer).

Interestingly, the first sentence of the Recital 7 of the draft contradicts to this new thinking and still reproduces a traditional territory-based approach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.