The modernization of ”standard contractual clauses” used for transferring personal data to non-European Union (EU) countries is one of the improvements identified by the European Commission in its evaluation of the General Data Protection Regulation (GDPR), which took effect in 2018.  Standard contractual clauses are the most widely used tool by companies and other organizations to lawfully transfer personal data from EU member states to non-EU countries.

Background on GDPR

The GDPR established a single set of rules on the processing and free movement of personal data, replacing a 1995 EU directive on data protection. The GDPR established the rules for lawfully transferring personal data from EU member states to countries outside the EU, and those rules have been influential in the development of other countries’ data protection standards. The GDPR also included a new governance system aimed at establishing a level playing field for all companies operating in the EU, regardless of the member state in which they are established. 

Other highlights of GDPR evaluation report

• The European Data Protection Board (EDPB) will issue specific guidance on the use of certification and codes of conduct for transferring data outside of the EU and will publish guidelines on other emerging topics. The EDPB is an independent European body that contributes to the consistent application of the EU’s data protection laws and promotes cooperation between member states’ data protection authorities. 
• Increased efforts would aim to improve citizens’ awareness of the GDPR and their rights.
• Engagement with stakeholders would aim to support small and medium-sized firms’ use of the GDPR. The EDPB will issue toolkits aimed at supporting small and micro-enterprises. 
• The commission will urge member states to improve the resources allocated to national data protection authorities. The commission says there are currently “stark differences” between the authorities.
• The adoption of a more efficient and harmonized approach by member states’ data protection authorities to support the GDPR’s ”one stop shop” provisions, enabling companies to deal only with one data protection authority when making cross-border data transfers.
  

Related resources

• Information on standard contractual clauses (European Commission)
• Information on  European Data Protection Board (European Data Protection Board)
• European Data Protection Board guidelines (European Data Protection Board)
• Press release and other review resources (European Commission, 24 Jun 2020)
• Regulation (EU) 2016/679 (EurLex, 27 Apr 2016)