EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

Sheppard Mullin Richter & Hampton LLP

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.

As we previously wrote at the time of the Schrems II decision, one of the alternate mechanisms for data transfers are Standard Contractual Clauses. While the court concluded that SCCs remained valid, it outlined restrictions that have been giving companies pause. Of note was the comment that companies relying on SCCs would need to take proactive roles in making sure that there was an “adequate level of protection” of data in the importing jurisdiction. In sum, companies can continue to rely on SCCs as a mechanism, but would need an “SCC plus” approach to address the need for adequate levels of protection, including the European Data Protection Board’s concerns (described below).

To better understand how SCCs would be received in the wake of the Schrems II decision and what might constitute how to assess levels of protection, many have been watching the various EU countries’ privacy authorities for guidance. Some, like the DPA for Hamburg, have called for revisions to and/or more scrutiny of the SCCs. Others, like France and Norway, indicated that they are “analyzing” the impact. Germany’s conference of data protection authorities, the DSK, reiterated the need to assess adequate security if relying on SCCs (without indicating how specifically to do this). The European Data Protection Board for its part, confirmed that the SCCs “remain valid,” but emphasized that in practice both the data importer and exporter should take context into account to make sure that protection is adequate.

To assist businesses, the EDPB recently issued a set of FAQs, where it reiterated the need for an assessment that “takes into account the circumstances of the transfers and supplementary measures you could put in place.” These include “making sure that U.S. law does not impinge on the adequate level of protection.” How, specifically, a company would go about making this determination was not covered in the FAQs.

Putting it Into Practice: Companies who rely on SCCs for their data transfers from the EU to the U.S. will want to think about the context of the transfer in light of this recent EDPB direction. Many also anticipate that the wording of the SCCs may change in the future. Stay tuned to our next article discussing the limits of consent for data transfers from the EU to the US.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.