On 16 July, the European Court of Justice (CJEU) struck down the controversial Privacy Shield arrangement for transferring data from the EU to the US. Cue widespread alarm as businesses reliant on such transfers scrambled to work out what other solutions were available.
Fortunately the CJEU also clarified that Standard Contractual Clauses (SCCs), an alternative mechanism for transferring data, remain valid. Essentially, SCCs are template or form contracts set out by the European Commission that allow transfers of European citizens’ data to take place legally. However, while confirming that SCCs are valid, the Court underlined that they can only be relied upon when risks have been properly assessed and cannot amount to a “tickbox exercise.”
Given the number of transfers certain international tech giants make daily, that could pose a challenge.
Nonetheless, CCIA said: “We are encouraged that today’s ruling recognises Standard Contractual Clauses as a trustworthy mechanism for transferring data outside of Europe.”
Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE was also upbeat: “Today’s ruling on SCCs provides clear reassurance for the thousands of companies who use them as the main tool for international data transfers. These clauses are vital to Europe’s digital economy, which depends on companies of all sizes and from all sectors operating across borders.”
On a more cautious note, Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection at LinkLaters pointed out: “This is less of a win for businesses than it appears. Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The CJEU has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed.”
Susanne Dehmel, member of Bitkom’s management board, was also concerned: “Even the hitherto valid practice of Standard Contractual Clauses is thrown into doubt by the Court’s decision. For companies with data processing activities in the US this decision creates significant legal uncertainty.”
Those businesses hoping that they may be granted some leeway to get their house in order will have to act fast as European data protection authorities are not inclined to grant any sort of amnesty.
The European Data Protection Board is currently analysing the Court’s judgment “to determine the kind of supplementary measures that could be provided in addition to SCCs or Binding Corporate Rules (BCRs), whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.”
However, in the meantime it issued a Frequently Asked Questions document on 23 July to help companies navigate this tricky time, which in answer to the question “Is there any grace period during which I can keep on transferring data to the US without assessing my legal basis for the transfer?” bluntly answers: “No.”
For businesses already relying on SCCs, the news was similarly grim: “Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” explains the EDPB.
Transfers must be assessed on a “case-by-case analysis of the circumstances surrounding the transfer,” said the board and if appropriate safeguards cannot be ensured, businesses are required “to suspend or end the transfer of personal data.”
It also adds that “if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.”
The same goes for Binding Corporate Rules (BCRs) – these are essentially the same as SCCs but where the data transfer takes place within the same corporate group rather than a separate “exporter” and “importer.”
In light of this companies are also looking hard at the derogations under Article 49 of the GDPR, specifically: consent, public interest, and performance of a contract. The EDPB reminds businesses that consent must be explicit, specific and informed, but had more to say on the matter of performance of a contract.
“With regard to transfers necessary for the performance of a contract…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…