EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?
Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
As we previously wrote at the time of the Schrems II decision, one of the alternate mechanisms for data transfers are Standard Contractual Clauses. While the court concluded that SCCs remained valid, it outlined restrictions that have been giving companies pause. Of note was the comment that companies relying on SCCs would need to take proactive roles in making sure that there was an “adequate level of protection” of data in the importing jurisdiction. In sum, companies can continue to rely on SCCs as a mechanism, but would need an “SCC plus” approach to address the need for adequate levels of protection, including the European Data Protection Board’s concerns (described below).
To better understand how SCCs would be received in the wake of the Schrems II decision and what might constitute how to assess levels of protection, many have been watching the various EU countries’ privacy authorities for guidance. Some, like the DPA for Hamburg, have called for revisions to and/or more scrutiny of the SCCs. Others, like France and Norway, indicated that they are “analyzing” the impact. Germany’s conference of data protection authorities, the DSK, reiterated the need to assess adequate security if relying on SCCs (without indicating how specifically to do this). The European Data Protection Board for its part, confirmed that the SCCs “remain valid,” but emphasized that in practice both the data importer and exporter should take context into account to make sure that protection is adequate.
To assist businesses, the EDPB recently issued a set of FAQs, where it reiterated the need for an assessment that “takes into account the circumstances of the transfers and supplementary measures you could put in place.” These include “making sure that U.S. law does not impinge on the adequate level of protection.” How, specifically, a company would go about making this determination was not covered in the FAQs.
Putting it Into Practice: Companies who rely on SCCs for their data transfers from the EU to the U.S. will want to think about the context of the transfer in light of this recent EDPB direction. Many also anticipate that the wording of the SCCs may change in the future. Stay tuned to our next article discussing the limits of consent for data transfers from the EU to the US.