While the CJEU ruled that SCCs are valid for international data transfers, the judgment will require significant interpretation and elaboration by the European Commission and national data protection regulators. We expect the European Data Protection Board to publish a detailed analysis of the judgment and guidance on how regulators will expect companies using SCCs to assess the level of data protection in third countries and how to deploy additional safeguards as and when required.
The European Commission’s DG Justice is also working on updated SCCs. While the basis for doing so is to bring the SCCs in line with the GDPR, the Commission may also take the opportunity to develop SCCs for additional transfer scenarios, such as processor to processor transfers.
Companies who rely on SCCs for data transfers, to the US or to other markets, should be reaching out to the European Commission and DG Justice to put forward their views on the updated SCCs, assessment schemes for their use, and additional safeguards. In particular, companies should be able to highlight proportional and workable additional safeguards, including by region or by sector.
Some commentators have pointed out that FISA Section 702- a key part of the CJEU’s analysis to overturn Privacy Shield- does not apply to all sectors in the US and that certain regions of the US, such as California, have higher privacy standards than others. This means that there is a strong case of SCC analysis and safeguards to be differentiated by risk level, as judged by both destination and sector.
Access Partnership is working with our clients to make the case for the importance of EU-US personal data transfers and deliver workable data transfer mechanisms using SCCs which comply with the GDPR, satisfy regulators and enable transatlantic data flows and grow the digital economy. Get in touch with our Europe Team know to learn more about how we can help your organization effectively shape the future of international data transfers.