EU-US Data Transfers: What’s Next and What Should Companies be Doing?

On 16 July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield and ruled that companies using Standard Contractual Clauses for data transfer are obliged to assess the level of data protection in third countries and take additional safeguards to protect the privacy of EU citizens where they cannot guarantee an “essentially equivalent” level of data protection. Now is a crucial time for companies relying on EU-US data transfers to engage with regulators and policymakers on both sides of the Atlantic.

EU-US Data Transfers: What’s Next and What Should Companies be Doing?

While the CJEU ruled that SCCs are valid for international data transfers, the judgment will require significant interpretation and elaboration by the European Commission and national data protection regulators. We expect the European Data Protection Board to publish a detailed analysis of the judgment and guidance on how regulators will expect companies using SCCs to assess the level of data protection in third countries and how to deploy additional safeguards as and when required.

The European Commission’s DG Justice is also working on updated SCCs. While the basis for doing so is to bring the SCCs in line with the GDPR, the Commission may also take the opportunity to develop SCCs for additional transfer scenarios, such as processor to processor transfers.

Companies who rely on SCCs for data transfers, to the US or to other markets, should be reaching out to the European Commission and DG Justice to put forward their views on the updated SCCs, assessment schemes for their use, and additional safeguards. In particular, companies should be able to highlight proportional and workable additional safeguards, including by region or by sector.

Some commentators have pointed out that FISA Section 702- a key part of the CJEU’s analysis to overturn Privacy Shield- does not apply to all sectors in the US and that certain regions of the US, such as California, have higher privacy standards than others. This means that there is a strong case of SCC analysis and safeguards to be differentiated by risk level, as judged by both destination and sector.

Access Partnership is working with our clients to make the case for the importance of EU-US personal data transfers and deliver workable data transfer mechanisms using SCCs which comply with the GDPR, satisfy regulators and enable transatlantic data flows and grow the digital economy. Get in touch with our Europe Team know to learn more about how we can help your organization effectively shape the future of international data transfers. 

Related Articles

Access Alert: The intensifying battle between Musk and Ambani over India’s satellite broadband spectrum

Access Alert: The intensifying battle between Musk and Ambani over India’s satellite broadband spectrum

Space industry players should take note of the escalating competition in India’s satellite broadband market, as Elon Musk’s Starlink and...

25 Oct 2024 Opinion
2024 data reveals the urgent need for a village approach to child online safety

2024 data reveals the urgent need for a village approach to child online safety

Children are facing unprecedented online risks. Recent data shows that one in eight children globally (approximately 302 million) have fallen...

21 Oct 2024 Opinion
Access Alert: Mexico’s telecommunications and competition authorities set to be dissolved

Access Alert: Mexico’s telecommunications and competition authorities set to be dissolved

Overview On 13 October, Deputy Ricardo Monreal, leader of the ruling Morena party, announced that reforms to eliminate the Federal...

15 Oct 2024 Opinion
Cybersecurity skills in the EU: A new dawn?

Cybersecurity skills in the EU: A new dawn?

In September 2024, the Hungarian Presidency and the European Union Agency for Cybersecurity (ENISA) co-hosted the third annual edition of...

15 Oct 2024 Opinion