EU-US Data Transfers: What’s Next and What Should Companies be Doing?

On 16 July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield and ruled that companies using Standard Contractual Clauses for data transfer are obliged to assess the level of data protection in third countries and take additional safeguards to protect the privacy of EU citizens where they cannot guarantee an “essentially equivalent” level of data protection. Now is a crucial time for companies relying on EU-US data transfers to engage with regulators and policymakers on both sides of the Atlantic.

EU-US Data Transfers: What’s Next and What Should Companies be Doing?

While the CJEU ruled that SCCs are valid for international data transfers, the judgment will require significant interpretation and elaboration by the European Commission and national data protection regulators. We expect the European Data Protection Board to publish a detailed analysis of the judgment and guidance on how regulators will expect companies using SCCs to assess the level of data protection in third countries and how to deploy additional safeguards as and when required.

The European Commission’s DG Justice is also working on updated SCCs. While the basis for doing so is to bring the SCCs in line with the GDPR, the Commission may also take the opportunity to develop SCCs for additional transfer scenarios, such as processor to processor transfers.

Companies who rely on SCCs for data transfers, to the US or to other markets, should be reaching out to the European Commission and DG Justice to put forward their views on the updated SCCs, assessment schemes for their use, and additional safeguards. In particular, companies should be able to highlight proportional and workable additional safeguards, including by region or by sector.

Some commentators have pointed out that FISA Section 702- a key part of the CJEU’s analysis to overturn Privacy Shield- does not apply to all sectors in the US and that certain regions of the US, such as California, have higher privacy standards than others. This means that there is a strong case of SCC analysis and safeguards to be differentiated by risk level, as judged by both destination and sector.

Access Partnership is working with our clients to make the case for the importance of EU-US personal data transfers and deliver workable data transfer mechanisms using SCCs which comply with the GDPR, satisfy regulators and enable transatlantic data flows and grow the digital economy. Get in touch with our Europe Team know to learn more about how we can help your organization effectively shape the future of international data transfers. 

Related Articles

Access Alert: White House Seeks Input on AI Action Plan

Access Alert: White House Seeks Input on AI Action Plan

The Trump Administration is charting a new course for US AI leadership following its rescinding of the Biden AI Executive...

6 Feb 2025 Opinion
Securing the Future of US Digital Trade

Securing the Future of US Digital Trade

This opinion piece is part of Access Partnership’s  ‘A Digital Manifesto’  initiative, which recommends a framework to develop US global...

6 Feb 2025 Opinion
12 Key Principles for Sustainable AI

12 Key Principles for Sustainable AI

Making AI sustainable is crucial to ensuring its accessibility in all countries and reducing the digital divide. Understanding a country’s...

5 Feb 2025 Opinion
Access Alert: Mexico’s New Agency for Digital Transformation and Telecommunications Takes Form

Access Alert: Mexico’s New Agency for Digital Transformation and Telecommunications Takes Form

President Claudia Sheinbaum has identified digital transformation as a key strategic element of Plan Mexico, in which she aims to...

3 Feb 2025 Opinion