In the world of data protection, the Schrems II ruling in July 2020 by the European Court of Justice (ECJ) shook up the legal framework for transferring personal data outside of the European Union (EU). The decision invalidated the Privacy Shield framework, which had facilitated data transfers between the EU and the United States (US). This raised concerns regarding the use of Standard Contractual Clauses (SCCs) as an alternative legal basis for data transfers. This article will explore the implications of the Schrems II ruling on SCCs and how organizations can ensure compliance with EU data protection laws.
What are Standard Contractual Clauses?
SCCs are commonly used by organizations to legitimize the transfer of personal data to countries outside the EU, where the level of data protection is not considered adequate under EU data protection law. SCCs have been deemed to provide sufficient safeguards for the protection of personal data while being transferred to third countries. SCCs are legal agreements between a data exporter and a data importer, which outline the protections and obligations regarding the processing of personal data.
The Schrems II ruling and the future of SCCs
In the Schrems II ruling, the ECJ stated that SCCs can still be used as a legal basis for data transfers, but organizations need to ensure that SCCs are effectively protecting personal data. This means that data exporters have a responsibility to assess the local laws and regulations of third countries to which personal data is transferred, to ensure the adequate protection of personal data. Organizations should take into account access by public authorities to personal data, including any potential conflicts between third-country laws and EU data protection laws.
Data exporters may implement supplementary measures to ensure that personal data transferred under SCCs is adequately protected. This may include technical measures, such as encryption, or organizational measures, such as regular review of data protection practices of the data importer. In certain cases, additional contractual clauses may be needed to safeguard fundamental data protection rights.
Organizations must ensure that SCCs are effectively protecting personal data while being transferred to third countries. Failure to do so may lead to legal and financial consequences, including fines and legal claims by affected individuals. Therefore, data exporters and data importers must review their data processing practices, implement supplementary measures where necessary, and ensure that their contracts reflect changes to data protection laws.
Conclusion
The Schrems II ruling has raised concerns about the use of SCCs as a legal basis for the transfer of personal data outside the EU. Organizations must take actions to ensure that SCCs continue to be an effective tool for the transfer of personal data. This includes assessing the adequacy of data protection laws in third countries and implementing supplementary measures where necessary. By doing so, organizations can continue to transfer personal data outside the EU while complying with EU data protection laws.