August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.

As we previously wrote at the time of the Schrems II decision, one of the alternate mechanisms for data transfers are Standard Contractual Clauses. While the court concluded that SCCs remained valid, it outlined restrictions that have been giving companies pause. Of note was the comment that companies relying on SCCs would need to take proactive roles in making sure that there was an “adequate level of protection” of data in the importing jurisdiction.  In sum, companies can continue to rely on SCCs as a mechanism, but would need an “SCC plus” approach to address the need for adequate levels of protection, including the European Data Protection Board’s concerns (described below).

To better understand how SCCs would be received in the wake of the Schrems II decision and what might constitute how to assess levels of protection, many have been watching the various EU countries’ privacy authorities for guidance. Some, like the DPA for Hamburg, have called for revisions to and/or more scrutiny of the SCCs. Others, like France and Norway, indicated that they are “analyzing” the impact. Germany’s conference of data protection authorities, the DSK, reiterated the need to assess adequate security if relying on SCCs (without indicating how specifically to do this). The European Data Protection Board for its part, confirmed that the SCCs “remain valid,” but emphasized that in practice both the data importer and exporter should take context into account to make sure that protection is adequate.

To assist businesses, the EDPB recently issued a set of FAQs, where it reiterated the need for an assessment that “takes into account the circumstances of the transfers and supplementary measures you could put in place.” These include “making sure that U.S. law does not impinge on the adequate level of protection.” How, specifically, a company would go about making this determination was not covered in the FAQs.

Putting it Into Practice: Companies who rely on SCCs for their data transfers from the EU to the U.S. will want to think about the context of the transfer in light of this recent EDPB direction. Many also anticipate that the wording of the SCCs may change in the future. Stay tuned to our next article discussing the limits of consent for data transfers from the EU to the US.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 212


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and conducting e-mail, mobile, cause, and other forms of marketing. She also helps clients with trademark prosecution matters.


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...