Ending months of anxious speculation from privacy lawyers around the globe, the European Commission announced on Friday that it had adopted final versions of the new Standard.
The legislation updates the Children’s Online Privacy Protection Act (COPPA) by prohibiting internet companies from collecting personal information from anyone 13- to 15-years old.
The new SCCs offer a number of improvements over the old SCCs:
By providing for processor-to-controller and processor-to-processor transfers, the Commission has plugged one of the most significant gaps in the old SCCs. Among other industries, the pharmaceutical industry will welcome the new flexibility: US (and other third country) clinical trial sponsors that are not established in Europe will soon be able to use the SCCs to cover routine transfers of EU clinical study data from their European CROs (which are processors).
In addition, it is now clear that controllers who are subject to the GDPR but are not established in the EU can sign the SCCs as data exporters. This has been a vexingly unclear matter under the old SCCs, with some data protection authorities maintaining that controllers that are not based in the EU cannot sign as the exporter, despite the fact that a large number of companies have chosen to do exactly that in light of the lack of approved alternatives and the st
European Union approved Standard Contractual Clauses SCCs and have been upheld by the EU’s top court, however the Court has invalidated Privacy Shield with immediate effect, ensuring that European personal data is adequately protected when it is transferred.
Processor to Processor (NEW!)
By providing for processor-to-controller and processor-to-processor transfers, the Commission has plugged one of the most significant gaps in the EU’s approved data transfer mechanism. Among other industries, the pharmaceutical industry will welcome the new flexibility: US (and other third country) clinical trial sponsors that are not established in Europe will soon be able to use the SCCs to cover routine transfers of EU clinical study data from their European CROs (which are processors). In addition, it is now clear that controllers who are subject to the GDPR but are not established in the EU can sign the SCCs as data exporters.