Cross border data transfer- An Overview of Adequacy Decision, SCC and BCR


Data is now termed as a highly valuable asset which used for business expansions plans globally. With the technology driven world and high delivery speed big data is transferred internationally without boundaries just in fraction of seconds. However, these cross-border data transfers/ flows are regulated. As of now approx. 110+ countries have enforced data protection and privacy laws.

The EU-GDPR is one of the first expansive legislation that introduced regulatory roadmap for cross-border data flows and introduced the safeguards like Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs); but most importantly it empowered the EU Commission to render an Adequacy Decision, which enables free data flows in and out of EU. The Adequacy Decision is based on a thorough assessment on whether the non-EU country has appropriate legal safeguards for data protection equivalent to those in the EU.

Background of EU-US Privacy shield

Previously the most recognised safeguard for cross border data transfer was the EU-US Privacy Shield Framework which was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. However, in July 2020 the Court of Justice of the European Union, invalidated the EU-US Privacy Shield (Schrems II) but upheld the validity of SCCs.

Countries recognised

The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay under the GDPR, as providing adequate protection.

Standard Contractual Clauses

Under the GDPR, contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries with a non-adequate data protection level. This includes model contract clauses or standard contractual clauses (SCCs) – that have been pre-approved by the European Commission. On June 4, 2021, the Commission published two sets of new SCCs. The new standard contractual clauses reflect new requirements under the GDPR as well account for the legal analysis in the Schrems IIdecision.

Blinding Corporate Rules

Binding Corporate Rules (BCRs) is other safeguard which enables the data transfers to third country under the GDPR. Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises while being GDPR compliant. These corporate rules need to include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. As of now very few BCRs are approved.

Way forward

To enable free data flow representatives from EU and USA are undergoing negotiations to implement a new transatlantic data transfer regime for smooth flow of data between the two jurisdictions. The Department of Commerce is leading the negotiations for the United States. Similar to the approach pursued by the Trump Administration, the Biden Administration is reportedly seeking to address EU concerns by providing greater assurances through executive orders and administrative action on how the United States safeguards non-U.S. citizens’ personal data and how Europeans can pursue redress

in U.S. courts for any alleged misuse of their data.

As an alternative to Privacy Shield, GDPR provides the mechanisms of BCRs and SCCs enabling companies to transfer data while complying with EU data protection rules, as explained above. However, this may come with additional compliance burdens as compared to Privacy Shield. Other alternatives would be for the EU to establish codes of conduct or certifications that meet GDPR requirements which organizations could apply to their cross-border data transfers and business practices which could be U.S.-EU specific or at a broader, global level.

For detailed reading refer to this report on EU-US Transatlantic data flow.

To learn more about cross border data transfers and how we can assist you in implementing these mechanisms in your organisation, check out our data privacy services page.

Disclaimer: This blog is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.