BCLP Global Data Privacy FAQs: What EU transfer options remain for international data transfers after Schrems II?


On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated in “Schrems II” the EU–U.S. Privacy Shield framework, while upholding the Standard Contractual Clauses (SCCs) as a valid mechanism for international data transfers under certain conditions. For international data transfers, the EU GDPR distinguishes between (a) outbound transfers of personal data to countries outside the European Economic Area (EEA) which offer an adequate level of data protection and (b) transfers to such countries without adequate protection.

This FAQ gives an overview of the transfer options still available following the Schrems II decision.

A Formal Adequacy Decision: If the third country provides an adequate level of data protection and the European Commission issues an ‘adequacy decision’, then personal data can be transferred to that third country on the same basis as a transfer from one EU country to another. Currently, adequacy decisions exist for countries including Argentina, Canada, Israel, Japan, New Zealand, Switzerland and Uruguay. For the UK, the European Commission is in the process of adopting such a decision. The EU-UK Trade and Cooperation Agreement includes a bridging mechanism that currently allows for unrestricted data flows from the EEA to the UK which will expire at the end of June.

SCCs, BCRs and other Appropriate Safeguards: In the absence of an adequacy decision and subject to certain exceptions, international data transfers may only take place where companies provide for appropriate safeguards pursuant to Article 46, EU GDPR. These appropriate safeguards include SCCs and Binding Corporate Rules (BCRs). However, as a result of the Schrems II decision, companies are now required to assess on a case-by-case basis whether such transfer mechanisms are also effective in practice and, where not, adopt supplementary measures to ensure an essentially equivalent level of data protection to that guaranteed by the EU GDPR. The new SCCs, which were adopted by the European Commission on June 4, 2021 and enter into force on 27 June 2021, seek to address some of the concerns raised by the Schrems II decision. There are also negotiations between the EU Commission and the U.S. Government on an enhanced ‘Privacy Shield 2.0’, however, a replacement for the invalidated Privacy Shield in the near term seems unlikely, considering the diverging positions.

The Derogations: Lastly, it is still possible to transfer personal data from the EEA to a non-adequate country on the basis of the derogations in Article 49, EU GDPR, e.g. where the data subject explicitly consented to the transfer, the transfer is necessary for the performance of a contract to which the data subject is a party or the transfer is necessary for the establishment, exercise or defense of legal claims. However, the European supervisory authorities have taken the position that these derogations may be used only in exceptional circumstances and are mainly limited to occasional and non-repetitive transfers. They are therefore of limited relevance for most organizations.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.