Schrems II decision
The CJEU's (Court of Justice of the European Union) "Schrems II" decision demonstrated that transfers of personal data to the US do not provide enough security safeguards. The result was the cancellation of the US-EU Privacy Shield.
This judgement stopped the transfer of data, particularly to US companies who collect it from EU citizens via European subsidiaries.
Confrontations between authorities and US firms began to emerge throughout Europe as a result of their non-compliance with the data protection laws.
Consequently, the Schrems II decision resulted in the suspension of data transfers to third countries. The authorities have begun to conduct checks to identify possible breaches of the Schrems II provisions. Checks such as e-mails, website hosting, web monitoring, and the way controllers manage applicants' data.
These checks are welcome because many of the organizations that collect significant amounts of personal data are subsidiaries of US parent companies.
By establishing the SCCs, the Commission, on the other hand, attempted to limit transfers to third countries.
On June 4, 2022, new SCCs (Standard Contractual Clauses) were adopted, and they went into effect on September 27, 2021
What are the new SCCs?
- SCCs for the relationship between controllers and processors within the EEA area. Both public and private companies, as well as EU institutions, can use it. They meet the GDPR's Article 28 and Article 29 criteria (The General Data Protection Regulation).
- SCCS for transferring personal data outside of EU. Data exporters can use these words without obtaining approval from a data protection authority. They comply with GDPR standards by providing appropriate safeguards for data transferred outside of the EEA.
On May 25, 2022, a new guidance in the form of a Q&A was released to provide practical assistance. The guidance is based on the feedback of several organisations about their initial experiences with the new SCCs.
The adoption of these new clauses appears to be a potential solution to the issues arised from the Schrems II judgement. They provide a higher level of protection for data subjects' personal information.
In other words, controllers who choose the European Commission's clauses will comply with the Regulation 679/2016's requirements.
These clauses basically lay out the modalities, conditions, and obligations that the parties must meet in order to comply with data regulations while transferring data.
The guidance does not provide legal advice. However, we recommend that you read the complete Q&A instructions since it provides important information that can help in securing the transfer of personal data.
Also there is no obligation to use the SCCs. Controllers can use it voluntarily to demonstrate compliance with data protection rules, in which case is necessary a binding contractual agreement.
Last updated: June 3, 2022