What is the EU Commission doing in relation to the use of the Standard Contractual Clauses (SCCs) post-Schrems II?

The key takeaway

Following the uncertainty as to how the SCCs will work in a post-Schrems II world, the European Commission aims to finalise updated rules on the use of the SCCs by the end of 2020 to help give clarity on how EU companies can lawfully transfer data internationally.

The background

The CJEU decision Schrems II invalidated the EU-US Privacy Shield scheme as a lawful data transfer mechanism. However, whilst it stopped short of invalidating the use of the SCCs, it did impose a significant caveat to their use. Namely, it put the onus on data controllers relying on the SCCs to ensure that data-recipient countries maintain adequate levels of protection before any transfer takes place. This creates a complex set of verification obligations for data transfers which are meant to ensure that EU citizens benefit from an equivalent level of data protection (as guaranteed under the GDPR) in other countries to which data is transferred.

The development

Justice Commissioner Didier Reynders has said that EU businesses relying on the SCCs to transfer data to countries outside the bloc will see those rules overhauled by the end of this year. More imminently, the adoption process for the new SCCs will potentially be launched in the coming month. The adoption process will require an opinion from the European Data Protection Board and a positive vote from the European Parliament and EU member states.

Why is this important?

Following the invalidation of the EU-US Privacy Shield, the EU has scrambled to protect some 5,000 businesses relying on it to lawfully carry our international data transfers. The modern global economy relies heavily on such data transfers, and Schrems II removed a low-friction data transfer mechanism available to EU businesses. This places more importance on the use of the SCCs.

Any practical tips?

Watch this space! Any EU company relying on international data transfers should pay close attention to European Commission announcements in the coming weeks and months relating to the SCCs. In the meantime, it makes sense to get to grips with your international data flows through an internal audit, so you are in the best possible position to respond to developments and thereby maintain data compliance.

Keep an eye also on the 1 January 2021 Brexit deadline. Save for any treaty otherwise, the UK will become a third country and will depend on an adequacy decision going its way in order to continue receiving data in line with the EU GDPR without other mechanisms in place (eg the SCCs). And an adequacy decision looks increasingly shaky given the EU Court of Justice’s recent ruling (6 October) that UK surveillance laws for the “general and indiscriminate” bulk collection of data “exceed the limits of what is strictly necessary and cannot be considered to be justified within a democratic society”.