On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated in “Schrems II” the EU–U.S. Privacy Shield framework, while upholding the Standard Contractual Clauses (SCCs) as a valid mechanism for international data transfers under certain conditions. For international data transfers, the EU GDPR distinguishes between (a) outbound transfers of personal data to countries outside the European Economic Area (EEA) which offer an adequate level of data protection and (b) transfers to such countries without adequate protection.
This FAQ gives an overview of the transfer options still available following the Schrems II decision.
A Formal Adequacy Decision: If the third country provides an adequate level of data protection and the European Commission issues an ‘adequacy decision’, then personal data can be transferred to that third country on the same basis as a transfer from one EU country to another. Currently, adequacy decisions exist for countries including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay. For the UK, the European Commission is in the process of adopting such a decision. The EU-UK Trade and Cooperation Agreement includes a bridging mechanism that currently allows for unrestricted data flows from the EEA to the UK which will expire at the end of June.
SCCs, BCRs and other Appropriate Safeguards: In the absence of an adequacy decision and subject to certain exceptions, international data transfers may only take place where companies provide for appropriate safeguards pursuant to Article 46, EU GDPR. These appropriate safeguards include SCCs and Binding Corporate Rules (BCRs). However, as a result of the Schrems II decision, companies are now required to assess on a case-by-case basis whether such transfer mechanisms are also effective in practice and, where not, adopt supplementary measures to ensure an essentially equivalent level of data protection to that guaranteed by the EU GDPR. The new SCCs, which were adopted by the European Commission on June 4, 2021 and enter into force on 27 June 2021, seek to address some of the concerns raised by the Schrems II decision. There are also negotiations between the EU Commission and the U.S. Government on an enhanced ‘Privacy Shield 2.0’, however, a replacement for the invalidated Privacy Shield in the near term seems unlikely, considering the diverging positions.
The Derogations: Lastly, it is still possible to transfer personal data from the EEA to a non-adequate country on the basis of the derogations in Article 49, EU GDPR, e.g. where the data subject explicitly consented to the transfer, the transfer is necessary for the performance of a contract to which the data subject is a party or the transfer is necessary for the establishment, exercise or defense of legal claims. However, the European supervisory authorities have taken the position that these derogations may be used only in exceptional circumstances and are mainly limited to occasional and non-repetitive transfers. They are therefore of limited relevance for most organizations.