Schrems II Decision

Published on October 7, 2021

This fall begins a new journey for businesses transferring personal data outside the European Economic Area (EEA). On June 4, 2021, the European Union’s executive branch, the European Commission (“EC”), released their highly anticipated new and updated Standard Contractual Clauses (“SCCs”). The EC’s new SCCs are the result of the Court of Justice of the European Union’s (“CJEU”) Schrems II decision, which ultimately invalidated the “EU – US Privacy Shield” – a mechanism designed to regulate the flow of personal data from the European Economic Area (EEA) to “third countries” such as the United States.

Under Article 45 of the General Data Protection Regulation (“GDPR”), personal information can only be lawfully transferred to third countries that the EC has determined to have “adequate” privacy safeguards. Currently, this list of countries is just 13 and the U.S. is not one of them due to U.S. government surveillance laws. Instead, to facilitate commerce, the European Union and U.S. government agreed to the Privacy Shield framework. Until the CJEU’s Schrems II ruling, U.S. companies could self-certify under the Privacy Shield framework, allowing them to receive personal data transfers from the EEA. Prior to the Schremes II decision, the Privacy Shield and SCCs were the most commonly used data transfer mechanisms by U.S. companies.

Standard Contractual Clauses (SCCs)

SCCs are standard sets of contractual terms and conditions approved by the EC to which both the data “exporter” and data “importer” of EEA personal information must agree to before personal data can be transferred outside the EEA to third countries without adequacy decisions. SCCs have been in existence since 2001 and were amended first in 2004 and then again in 2010. The old SCCs were separate agreements: one for data transfers from controllers to controllers and one for data controllers to data processors. Many will find the new SCCs more user-friendly as they are contained in one document consisting of four “modules” for transfers from controller to controller; transfers from controller to processor; transfers to processor to processor; and transfers from processor to controller.

In addition to the new SCCs format, this new version incorporates Article 28 of the GDPR (the old SCCs were developed under the General Data Protection Directive – the GDPR’s precursor). Article 28 sets forth “technical and organisational measures” required for the transfer of personal information from controllers to processors and from processors to sub-processors. Under the new SCCs, the parties no longer need additional data processing agreements for data transfers to data processors.

Transfer Impact Assessments

While the CJEU did uphold the use of SCCs, the Court warned that the use of this data transfer mechanism was not sufficient – data controllers are still required to conduct a data Transfer Impact Assessment (“TIA”) – a case-by-case assessment of all cross-border transfers to ensure that the data protection requirements set forth in the SCCs can actually be met. Article 14 of the SCCs lays out the TIA criteria such as considerations of: 1) the “specific circumstances of the transfer (e.g., categories and format of personal information, the number of individuals involved, type of data recipient, the purpose of processing, etc.); 2) the data laws and practices of the third country of destination; and 3) any supplemental data safeguards needed to ensure compliance with the SCCs data protection requirements such as any additional contractual, technical, or organisational safeguards needed. Also critical to compliance, the data exporter must document its TIAs and make them available to the relevant supervisory authority when requested.

Supplemental Measures

Should the TIA conclude that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR data transfer mechanism, data exporters must identify and rely upon supplementary measures, as mentioned above, to ensure that personal information is sufficiently safeguarded. For instance, the data exporter may install technical safeguards like data encryption or pseudonymization. The data exporter may also add additional contractual safeguards on the data importer such as requiring additional technical safeguards or requiring it to submit to audits. Finally, the data exporter may rely on organizational measures to enhance data transfer protections such as data transfer policies and procedures and data minimization/purging policies.

New SCCs Enforcement Timeline

The old SCCs were repealed on September 27, 2021, meaning that all new cross-border data transfers must now be governed by the new SCCs. All existing SCCs will remain in effect until December 27, 2022 (and must be updated by that date).

How Advisori Can Help

Advisori has seasoned professionals who know the GDPR, understand the Schrems II decision, and have completed cross-border data inventories, data TIAs, and SCCs for EAA exporters and U.S. importers of personal data.

SCCs Related Services

  • Advisori can assist your organization with data mapping required for your Transfer Impact Assessments.
  • Our privacy experts can assess your existing GDPR Article 46 data transfer mechanisms to see if they remain compliant with the Schrems II decision.
  • We can build your Article 30 Report or enhance your existing Article 30 with the required Transfer Impact Assessment documentation.

Please contact us at [email protected] to learn more.