EU-US Data Transfers: What’s Next and What Should Companies be Doing?

On 16 July, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield and ruled that companies using Standard Contractual Clauses for data transfer are obliged to assess the level of data protection in third countries and take additional safeguards to protect the privacy of EU citizens where they cannot guarantee an “essentially equivalent” level of data protection. Now is a crucial time for companies relying on EU-US data transfers to engage with regulators and policymakers on both sides of the Atlantic.

EU-US Data Transfers: What’s Next and What Should Companies be Doing?

While the CJEU ruled that SCCs are valid for international data transfers, the judgment will require significant interpretation and elaboration by the European Commission and national data protection regulators. We expect the European Data Protection Board to publish a detailed analysis of the judgment and guidance on how regulators will expect companies using SCCs to assess the level of data protection in third countries and how to deploy additional safeguards as and when required.

The European Commission’s DG Justice is also working on updated SCCs. While the basis for doing so is to bring the SCCs in line with the GDPR, the Commission may also take the opportunity to develop SCCs for additional transfer scenarios, such as processor to processor transfers.

Companies who rely on SCCs for data transfers, to the US or to other markets, should be reaching out to the European Commission and DG Justice to put forward their views on the updated SCCs, assessment schemes for their use, and additional safeguards. In particular, companies should be able to highlight proportional and workable additional safeguards, including by region or by sector.

Some commentators have pointed out that FISA Section 702- a key part of the CJEU’s analysis to overturn Privacy Shield- does not apply to all sectors in the US and that certain regions of the US, such as California, have higher privacy standards than others. This means that there is a strong case of SCC analysis and safeguards to be differentiated by risk level, as judged by both destination and sector.

Access Partnership is working with our clients to make the case for the importance of EU-US personal data transfers and deliver workable data transfer mechanisms using SCCs which comply with the GDPR, satisfy regulators and enable transatlantic data flows and grow the digital economy. Get in touch with our Europe Team know to learn more about how we can help your organization effectively shape the future of international data transfers. 

Related Articles

Access Alert: Orbiting innovation – key satellite industry trends unveiled at SATELLITE 2024

Access Alert: Orbiting innovation – key satellite industry trends unveiled at SATELLITE 2024

The SATELLITE 2024 conference in Washington, DC, took place between 18-21 March 2024. The event brought together close to 15,000...

28 Mar 2024 Opinion
Access Alert: Saudi Arabia launches consultation on spectrum management

Access Alert: Saudi Arabia launches consultation on spectrum management

Continuing the efforts carried out by the Communications and Information Technology Commission (CST) to improve Saudi Arabia’s regulatory framework and...

26 Mar 2024 Opinion
Access Alert: APEC Peru 2024

Access Alert: APEC Peru 2024

From February through March 2024, delegations from the 21 Asia-Pacific Economic Cooperation (APEC) economies gathered at the Lima Convention Center...

22 Mar 2024 Opinion
Digital Equality in Latin America

Digital Equality in Latin America

In this episode of LATAM Digital, Geusseppe Gonzalez engages with Sonia Jorge, Founder and Executive Director of the Global Digital...

21 Mar 2024 Opinion