歐盟委員會將就新的個人數據傳輸標準合同條款進行公開咨詢
責編:gltian |2024-09-23 14:32:00編者按:
在不久的將來,歐盟委員會將就期待已久的標準合同條款(SCCs)模塊進行磋商,該模塊適用于向直接受 GDPR 管轄的第三國控制者和處理者進行的數據傳輸。這一舉措對于解決跨境數據傳輸的復雜性。
The Commission has already issued 4 modules of SCCs covering various transfer scenarios. However, a key issue has emerged: if a data importer is located outside the EEA but directly subject to GDPR, should SCCs still be required? It has been argued that if the importer is already bound by GDPR, SCCs might cause an inefficient duplication of obligations, potentially creating confusion for businesses trying to comply with overlapping legal requirements.
到目前為止,歐盟委員會已經發布了 4 個 SCC 模塊,涵蓋各種轉移情況。【見數據跨境流動 | 歐盟新版標準合同條款(最終版)全文翻譯】然而,一個關鍵問題出現了:如果數據進口商位于歐洲經濟區之外,但直接受 GDPR 約束,是否仍然需要 SCC?有觀點認為,如果數據進口者已經受 GDPR 約束,SCC 可能會導致義務重復,效率低下,可能會給試圖遵守重疊法律要求的企業造成混亂。
While there are unofficial indications from the Commission that SCCs may not be necessary for these scenarios, this is not yet a formal position. The European Data Protection Board (EDPB), however, has taken a much clearer stance. Accordingly, it has concluded that SCCs should indeed be required, even when the importer is subject to GDPR, as they address potential contradictions between foreign laws and EU regulations.
雖然歐盟委員會有非官方跡象表明,在這些情況下可能不需要SCC,但這還不是一個正式的立場。不過,歐洲數據保護委員會(EDPB)的立場要明確得多。因此,它得出結論認為,即使進口商受 GDPR 的約束,也確實需要 SCC,因為它們可以解決外國法律與歐盟法規之間的潛在矛盾。【具體見EDPB《關于GDPR第3條的適用與第五章的國際轉移規定之間的相互作用的05/2021準則》2.0版本-中文翻譯】
Why is this important? 為什么這很重要?
This debate is not just theoretical but is already playing out in practice. Specifically, the recent Uber 290 million euros fine in the Netherlands highlighted the confusion around this issue. Uber argued that no SCCs were required for data transfers to its US operations because Uber Technologies Inc., as a joint controller with Uber B.V., was already subject to GDPR requirements. However, the Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens) rejected this argument, emphasizing that even importers under GDPR obligations could be subject to foreign laws that conflict with EU standards, reinforcing the need for SCCs in such scenarios.
這種爭論不僅是理論上的,而且已經在實踐中上演。具體來說,最近 Uber 在荷蘭被罰款 2.9 億歐元的事件就凸顯了圍繞這一問題的混亂。Uber 辯稱,向其美國業務轉移數據不需要 SCC,因為 Uber Technologies Inc. 作為 Uber B.V. 的聯合控制方,已經受 GDPR 要求的約束。但是,荷蘭數據保護局(DPA?)(Autoriteit Persoonsgegevens)駁回了這一論點,強調即使是承擔 GDPR 義務的進口商也可能受制于與歐盟標準相沖突的外國法律,從而加強了在這種情況下簽訂 SCC 的必要性。
The new SCC module aims to resolve this confusion by clearly outlining the obligations for third-country importers directly subject to GDPR. It will help ensure consistent compliance while avoiding the unnecessary duplication of requirements that could burden businesses.
新的 SCC 模塊旨在通過明確概述直接受 GDPR 管轄的第三國進口商的義務來解決這一困惑。這將有助于確保一致性合規,同時避免不必要的重復要求,以免給企業造成負擔。
What’s next?
- Public consultation: Planned for Q4 2024.公眾咨詢:計劃于 2024 年第四季度進行。
- Draft adoption: Expected in Q2 2025.通過草案:預計 2025 年第二季度。