EU-US Data Transfers: What’s Next and What Should Companies be Doing?

Posted on 27th July 2020

On 16 July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield and ruled that companies using Standard Contractual Clauses for data transfer are obliged to assess the level of data protection in third countries and take additional safeguards to protect the privacy of EU citizens where they cannot guarantee an “essentially equivalent” level of data protection. Now is a crucial time for companies relying on EU-US data transfers to engage with regulators and policymakers on both sides of the Atlantic.

While the CJEU ruled that SCCs are valid for international data transfers, the judgment will require significant interpretation and elaboration by the European Commission and national data protection regulators. We expect the European Data Protection Board to publish a detailed analysis of the judgment and guidance on how regulators will expect companies using SCCs to assess the level of data protection in third countries and how to deploy additional safeguards as and when required.

The European Commission’s DG Justice is also working on updated SCCs. While the basis for doing so is to bring the SCCs in line with the GDPR, the Commission may also take the opportunity to develop SCCs for additional transfer scenarios, such as processor to processor transfers.

Companies who rely on SCCs for data transfers, to the US or to other markets, should be reaching out to the European Commission and DG Justice to put forward their views on the updated SCCs, assessment schemes for their use, and additional safeguards. In particular, companies should be able to highlight proportional and workable additional safeguards, including by region or by sector.

Some commentators have pointed out that FISA Section 702- a key part of the CJEU’s analysis to overturn Privacy Shield- does not apply to all sectors in the US and that certain regions of the US, such as California, have higher privacy standards than others. This means that there is a strong case of SCC analysis and safeguards to be differentiated by risk level, as judged by both destination and sector.

Access Partnership is working with our clients to make the case for the importance of EU-US personal data transfers and deliver workable data transfer mechanisms using SCCs which comply with the GDPR, satisfy regulators and enable transatlantic data flows and grow the digital economy. Get in touch with our Europe Team know to learn more about how we can help your organization effectively shape the future of international data transfers. 

Back to document archive