On June 16, 2023, the Council of Europe’s Committee of Convention 108+ (i.e., the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) adopted Model Contractual Clauses for cross-border data flows (“MCCs”). The MCCs are intended to cover the transfers of personal data to countries that are not parties to Convention 108+. According to the Council of Europe, the MCCs have the potential to bridge similar data transfer tools – such as the European Commission’s Standard Contractual Clauses – and to contribute to the convergence towards appropriate data protection standards globally.
Convention 108+ and Cross-Border Transfers of Personal Data
Convention 108+ was drafted by the Council of Europe in 1981 to ensure the protection of the right to privacy of individuals and is the first international legally binding instrument on data protection (see here). Convention 108+ has had a significant reach and inspired many regional and national data protection regulations (including the EU GDPR). To this day, it has been ratified by 33 European and non-European countries.
Convention 108+ restricts the transfer of personal data to recipients in countries that have not ratified the Convention. However, the Committee of Convention 108+ has found that pre-approved, standardized safeguards provided by legally binding and enforceable instruments can help ensure an appropriate level of protection when personal data is sent to third countries. During its 44th plenary meeting in Strasbourg, the Committee therefore adopted the MCCs for transfers of personal data from a controller in a Convention 108+ country to a separate controller in a country that is not a party to Convention108+.
Similarities/Differences Compared to Other Data Transfer Tools
Similar to other regional or national transfer tools (such as the European Commission’s Standard Contractual Clauses for international data transfers under the EU GDPR, the ASEAN’s Model Contractual Clauses, the Chinese Standard Contractual Clauses, or the Argentinian Model Contractual Clauses) the MCCs are standardized and pre-approved clauses that can easily be incorporated into agreements to secure personal data transfers.
Compared to the European Commission’s Standard Contractual Clauses (“SCCs”) in particular, the following key similarities can be observed:
- The MCCs should not be modified, except to add or update information in the Annexes or to select an option provided by a specific clause;
- An organization that is not a party to MCCs can also adhere to the clauses with the authorization of the original contracting parties (e., similarly to “Docking Clause” in the SCCs);
- Both the SCCs and MCCs regulate onward transfers of personal data (by the data importer); and
- Under the MCCs, the data importer must agree to submit itself to the jurisdiction of its data exporter (e., one of the Member States of Convention 108+), which is similar to the requirements imposed by the SCCs.
However, the MCCs will currently only be useful to address data transfers between controllers. Unlike the SCCS, they cannot be used for controller-to-processor or processor-to-processor transfers. It can therefore be expected that the Committee of Convention 108+ will issue additional sets of MCCs in the (near) future.
The supervisory authorities of the countries that are parties to Convention 108+ are now expected, in accordance with the Convention’s enforcement protocols, to approve the MCCs. Following that approval, each Member State will have to incorporate the MCCs into the existing set of data transfer instruments available to data exporters.