编者按:
在不久的将来,欧盟委员会将就期待已久的标准合同条款(SCCs)模块进行磋商,该模块适用于向直接受 GDPR 管辖的第三国控制者和处理者进行的数据传输。这一举措对于解决跨境数据传输的复杂性。
The Commission has already issued 4 modules of SCCs covering various transfer scenarios. However, a key issue has emerged: if a data importer is located outside the EEA but directly subject to GDPR, should SCCs still be required? It has been argued that if the importer is already bound by GDPR, SCCs might cause an inefficient duplication of obligations, potentially creating confusion for businesses trying to comply with overlapping legal requirements.
到目前为止,欧盟委员会已经发布了 4 个 SCC 模块,涵盖各种转移情况。【见数据跨境流动 | 欧盟新版标准合同条款(最终版)全文翻译】然而,一个关键问题出现了:如果数据进口商位于欧洲经济区之外,但直接受 GDPR 约束,是否仍然需要 SCC?有观点认为,如果数据进口者已经受 GDPR 约束,SCC 可能会导致义务重复,效率低下,可能会给试图遵守重叠法律要求的企业造成混乱。
While there are unofficial indications from the Commission that SCCs may not be necessary for these scenarios, this is not yet a formal position. The European Data Protection Board (EDPB), however, has taken a much clearer stance. Accordingly, it has concluded that SCCs should indeed be required, even when the importer is subject to GDPR, as they address potential contradictions between foreign laws and EU regulations.
虽然欧盟委员会有非官方迹象表明,在这些情况下可能不需要SCC,但这还不是一个正式的立场。不过,欧洲数据保护委员会(EDPB)的立场要明确得多。因此,它得出结论认为,即使进口商受 GDPR 的约束,也确实需要 SCC,因为它们可以解决外国法律与欧盟法规之间的潜在矛盾。【具体见EDPB《关于GDPR第3条的适用与第五章的国际转移规定之间的相互作用的05/2021准则》2.0版本-中文翻译】
This debate is not just theoretical but is already playing out in practice. Specifically, the recent Uber 290 million euros fine in the Netherlands highlighted the confusion around this issue. Uber argued that no SCCs were required for data transfers to its US operations because Uber Technologies Inc., as a joint controller with Uber B.V., was already subject to GDPR requirements. However, the Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens) rejected this argument, emphasizing that even importers under GDPR obligations could be subject to foreign laws that conflict with EU standards, reinforcing the need for SCCs in such scenarios.
这种争论不仅是理论上的,而且已经在实践中上演。具体来说,最近 Uber 在荷兰被罚款 2.9 亿欧元的事件就凸显了围绕这一问题的混乱。Uber 辩称,向其美国业务转移数据不需要 SCC,因为 Uber Technologies Inc. 作为 Uber B.V. 的联合控制方,已经受 GDPR 要求的约束。但是,荷兰数据保护局(DPA )(Autoriteit Persoonsgegevens)驳回了这一论点,强调即使是承担 GDPR 义务的进口商也可能受制于与欧盟标准相冲突的外国法律,从而加强了在这种情况下签订 SCC 的必要性。
The new SCC module aims to resolve this confusion by clearly outlining the obligations for third-country importers directly subject to GDPR. It will help ensure consistent compliance while avoiding the unnecessary duplication of requirements that could burden businesses.
新的 SCC 模块旨在通过明确概述直接受 GDPR 管辖的第三国进口商的义务来解决这一困惑。这将有助于确保一致性合规,同时避免不必要的重复要求,以免给企业造成负担。