Two updates that companies may find helpful regarding standard contractual clauses for cross-border transfers of personal data post invalidation of the EU-US Privacy Shield program.
Guidance from EU Data Protection Authorities
In the wake of the Schrems II decision from the Court of Justice of the European Union (CJEU), several EU Data Protection Authorities (DPAs) have issued guidance indicating how they will interpret and enforce the decision. The decision impacts international data transfers from the European Union (EU) to the U.S., invalidating the EU-U.S. Privacy Shield and calling for enhanced scrutiny of Standard Contractual Clauses (SCCs). The DPAs have taken varying stances on the validity of SCCs ranging from deeming SCCs “generally still valid” subject to case-by-case analysis (e.g., France and Denmark), to advising companies to cease transfers to the U.S. and switch to service providers located in the EU or a third country with an adequacy determination (e.g., the Netherlands). Click here to read about the decision and here for a list of the current DPA guidance.
FAQ Guidance from the EDPB
The European Data Protection Board (EDPB) has released FAQ guidance in response to the Schrems II ruling. The guidance addresses a range of topics, including the lack of a grace period for the ruling to take effect, and whether or not SCCs are a valid transfer mechanism. The EDPB states that “supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, [ ] have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.” The EDPB provides almost identical guidance regarding the use of Binding Corporate Rules (BCRs). Click here to read the EDPB guidance.