On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice
The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.
The new SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”) and the old SCCs will be repealed three months after that date (“Date of Repeal”).Continue Reading New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA – Adopted On the Eve of Publication
Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Continue Reading German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries
On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US. In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.
US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”).
Continue Reading CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats
On October 3, 2017, the Irish High Court issued a judgment in the “Schrems II” case, which raises the issue of whether the EU Commission’s decision approving the EU’s Standard Contractual Clauses (SCCs) should be invalidated. The Court has decided to refer various issues to the Court of Justice of the European Union (CJEU) and is seeking comment from the parties involved with regard to the questions that should be raised.
Continue Reading Irish High Court Issues Judgment in “Schrems II” Case