​​​What’s new

In its judgment of 16 July 2020, ​Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, C-311/18 (known as “Schrems II”), the Court of Justice of the European Union (CJEU) invalidated the European Commission’s decision that the EU-US Privacy Shield afforded adequate protection when transferring personal data from the EU to the US. The Privacy Shield is a self-certification scheme that US legal entities can adhere to by declaring themselves compliant with a detailed set of requirements based on privacy principles. Organisations could rely on this instrument to transfer personal data to the USA to Privacy Shield certified US entities. If they could not rely on the Privacy Shield, they would have to rely on other, more burdensome transfer mechanisms, such as standard data protection clauses. The invalidation of the Privacy Shield adequacy decision in Schrems II means that the EU-US Privacy Shield framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data to the US.

In its judgment, the CJEU also cast doubt on the extent to which transfers could be legitimised by the Commission’s standard contractual clauses (“pre-GDPR SCCs”) for personal data transfers to the US and globally. According to the CJEU, the pre-GDPR SCCs were still valid as a transfer mechanism in principle, but would require additional work (e.g. assessing the law of the third country to see if there is anything that may impinge the effectiveness of the SCCs, implementing supplementary measures, where necessary, to ensure the transferred data is protected up to the EU standards). SCCs are a form of “appropriate safeguard” that can be used when there is no adequacy decision under Article 45 of the GDPR. The Commission decides on them as provided in Article 46 GDPR, and organisations can use them to transfer data to countries outside the EU/EEA which the Commission has not recognised as providing adequate protection.

Considering that the pre-GDPR SCCs are outdated and that there was a real and urgent need to revamp them following the entry into force of the GDPR, especially after Schrems II, the Commission has been working for a while on new draft SCCs. On 4 June 2021, it finally published new SCCs, available here, for the transfer of personal data to third countries pursuant to the GDPR. While the new SCCs will be effective as of 27 June 2021, organisations may continue to use pre-GDPR SCCs that are already in place until 27 December 2022 – though supplemental measures may be required to ensure compliance with Schrems II. The pre-GDPR SCCs will be repealed and become invalid on 27 September 2021.

On 4 June 2021 the Commission also adopted SCCs (available here) that can be used by controllers and processors to comply with Article 28 GDPR and Article 29 EUDPR (Regulation (EU) 2018/1725, which lays down the data protection obligations of the EU institutions and bodies when they process personal data).

To read the Commission’s press release on the two sets of SCCs, click here​.

European Court of Auditors - 12, rue Alcide De Gasperi - 1615 LUXEMBOURG - Tel. : +352 4398-1