European Union Publishes Draft Standard Clauses for Trans-Atlantic Data Transfers

Michael Slipsky
Poyner Spruill LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Poyner Spruill LLP

Data Transfer from the European Union to the United States is a knotty process. The difficulties were compounded this summer when Europe’s highest court held the “Privacy Shield” program enabling U.S-E.U. data transfers unlawful in the Schrems II decision. Last week, the European Union tried to provide some clarity by releasing proposed standard contractual clauses (“SCCs”) to enable personal data transfer from the European Union to third countries.

If approved, the SCCs will enable firms to transfer personal data under the General Data Protection Regulation (“GDPR”). Firms would have 12 months from the date of SCC approval to substitute the new SCCs for existing data transfer mechanisms. Brussels watchers anticipate the EU will approve the SCCs early in 2021.

Organizations subject to GDPR will need to evaluate their current data transfer mechanisms. If the mechanism is deficient, it will have to be supplanted by the SCCs. These SCCs will enable the organizations to transfer personal data outside the European Union. By far the most important data transfer destinationwill be to the United States.

The SCCs are more stringent than their predecessors. They aim to address some of the Schrems II fallout. In particular, Schrems II requires parties transferring personal data outside the European Economic Area to determine whether the data would enjoy a level of protection corresponding to GDPR standards.

The transferring parties will have to see if the EU has designated the recipient country an “adequate” destination. If there is no adequacy decision, such as in the United States, the parties must evaluate if the recipient offers the required level of protection.

The recipient must notify the exporting parties if it receives government requests for access to public data. It must also notify the parties if the government directly accesses data. If the recipient has options under local laws, it must use all available legal recourse to challenge access.

The SCCs are open for public comment until December 10, 2020. The next steps will be the approval of the European Data Protection Board, the European Data Protection Supervisor, and the positive vote of EU Member States. But we can be confident that SCCs are not the last word in trans-Atlantic data transfer.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide