Since the decision by the Court of Justice of the European Union (“CJEU”) to invalidate Privacy Shield and opine on the use of Standard Contractual Clauses ("SCCs"), we have been compiling and maintaining a list of the responses and reactions published by both data protection authorities across the EU and other regulators globally. The full list of responses and reactions can be accessed here: Responses to the Decision in Case C-311/18 (Schrems II). Further details on the decision itself can be found here.
Summary of responses
Following the initial flurry of statements from regulators acknowledging the decision and commenting at a very high level (largely reiterating the decision itself), there has not been a great deal of movement in terms of issuing formal guidance on applying the decision, particularly with respect to transferring personal data the U.S. and using the SCCs as a method for transferring personal data generally.
That said, the key messages at this stage are as follows:
- Privacy Shield is no longer a lawful means of transferring personal data to the U.S. and any transfers made using Privacy Shield are in violation of the GDPR. Any such transfers should be made using an alternative means of lawfully transferring personal data. If no other means are available, the transfer should not be made.
- The use of the SCCs to transfer personal data to a third country should be reviewed in light of the decision by the CJEU. However, guidance on how such a review process should be undertaken is currently not available.
- Regulators across the EU, including data protection authorities, the European Data Protection Board and the European Commission, are working closely together to prepare and issue guidance on applying the decision, particularly with respect to using the SCCs and implementing additional measures, as noted above.
- The European Commission is planning to launch the adoption process for the new SCCs in the coming months with the hope of finalizing by the end of 2020.
- The European Commission is in discussions with the U.S. Department of Commerce regarding a new framework for transferring personal data to the U.S.
We expect to see more formal guidance from the EDPB and other data protection regulators in the coming weeks and will continue to update the list of responses linked above.