Download This PaperCross-Border Transfers of Personal Data after Schrems II: Supplementary Measures and New Standard Contractual Clauses (SCCs)
12 Pages Posted: 27 Oct 2021
Date Written: October 27, 2021
Abstract
This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.
Keywords: Schrems II, international data transfers, supplementary measures, new Standard Contractual Clauses (SCCs), EDPB Recommendations 01/2020, encryption, security and organisational measures, GDPR.
Suggested Citation: Suggested Citation