Data Transfer from the European Union to the United States is a knotty process. The difficulties were compounded this summer when Europe’s highest court held the “Privacy Shield” program enabling U.S-E.U. data transfers unlawful in the Schrems II decision. Last week, the European Union tried to provide some clarity by releasing proposed standard contractual clauses (“SCCs”) to enable personal data transfer from the European Union to third countries.
If approved, the SCCs will enable firms to transfer personal data under the General Data Protection Regulation (“GDPR”). Firms would have 12 months from the date of SCC approval to substitute the new SCCs for existing data transfer mechanisms. Brussels watchers anticipate the EU will approve the SCCs early in 2021.
Organizations subject to GDPR will need to evaluate their current data transfer mechanisms. If the mechanism is deficient, it will have to be supplanted by the SCCs. These SCCs will enable the organizations to transfer personal data outside the European Union. By far the most important data transfer destination will be to the United States.
The SCCs are more stringent than their predecessors. They aim to address some of the Schrems II fallout. In particular, Schrems II requires parties transferring personal data outside the European Economic Area to determine whether the data would enjoy a level of protection corresponding to GDPR standards.
The transferring parties will have to see if the EU has designated the recipient country an “adequate” destination. If there is no adequacy decision, such as in the United States, the parties must evaluate if the recipient offers the required level of protection.
The recipient must notify the exporting parties if it receives government requests for access to public data. It must also notify the parties if the government directly accesses data. If the recipient has options under local laws, it must use all available legal recourse to challenge access.
The SCCs are open for public comment until December 10, 2020. The next steps will be the approval of the European Data Protection Board, the European Data Protection Supervisor, and the positive vote of EU Member States. But we can be confident that SCCs are not the last word in trans-Atlantic data transfer.