Standard Contractual Clauses after Schrems Ii

  • Post author:
  • Post category:Uncategorized

The standard contractual clauses (SCCs) have been a crucial tool for international data transfers between the European Union (EU) and third countries that are not deemed to have an adequate level of data protection. However, the Schrems II judgment by the Court of Justice of the European Union (CJEU) in July 2020 has sparked uncertainty among companies relying on SCCs for their cross-border data flows.

The Schrems II ruling invalidated the EU-U.S. Privacy Shield framework, which had been widely used by companies to transfer personal data from the EU to the U.S. The CJEU deemed that the Privacy Shield did not provide adequate protection for EU citizens` data due to the lack of limits on U.S. surveillance activities. Moreover, the court also placed additional obligations on the use of SCCs, stressing that companies must ensure that the SCCs` contractual clauses are enforced in practice and that the data protection authorities can suspend or prohibit data transfers if the clauses` effectiveness cannot be guaranteed.

As a result, many companies are now facing a daunting task of assessing and potentially restructuring their data transfer mechanisms to ensure compliance with the new requirements. The European Data Protection Board (EDPB) has issued guidance to help organizations navigate the Schrems II ruling, noting that companies must carry out a case-by-case assessment of whether the SCCs offer adequate protection for the data transfer in question. This assessment should take into account the law and practices of the third country, the nature of the data being transferred, and the measures put in place to ensure the SCCs` efficacy.

In addition to the EDPB`s guidance, companies can consider implementing additional safeguards to strengthen their data transfer mechanisms. These safeguards can include technical measures such as data encryption, organizational measures such as audit and monitoring procedures, or contractual arrangements such as additional warranties or indemnities from the data importer.

Moreover, the European Commission is currently working on updated SCCs that reflect the requirements of the Schrems II judgment. The new SCCs are expected to provide additional clarity and guidance on the legal obligations that companies need to fulfill when using SCCs for their cross-border data transfers. It is also anticipated that the new SCCs will address some of the deficiencies identified by the CJEU in the Privacy Shield framework, such as the lack of effective legal remedies for EU citizens in case of data breaches or surveillance practices.

In conclusion, the Schrems II judgment has raised significant challenges for companies relying on SCCs for their international data transfers. However, with careful assessment and implementation of additional safeguards, companies can ensure compliance with the new requirements and maintain the continuity of their cross-border data flows. The forthcoming updated SCCs from the European Commission will provide further guidance and clarity on the matter, and companies should closely monitor their publication and incorporate them into their data transfer processes as soon as possible.