On July 16 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as Schrems II, that Standard Contractual Clauses are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. This substantially impacts organizations engaging in international data transfers under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organizations). Organizations are currently working hard to implement the requirements of the Judgment by assessing and revisiting current data transfer practices, switching or reinforcing data transfer mechanisms, introducing new organizational and technical controls and strengthening existing policies.
CIPL has conducted discussions and a survey with CIPL member organizations regarding their data transfer practices. This Paper summarizes our observations and the findings of this survey concerning:
- The GDPR mechanisms that organizations use or envisage using to transfer data outside of the EU in the post-Schrems II era
- The main factors organizations have identified to conduct risk assessments before data is transferred to non-adequate countries
- The supplementary measures that organizations are putting in place or envisage putting in place to protect transferred data
- The organizational accountability frameworks and processes organizations use for responding to government data access requests
This Paper also provides recommendations to the EDPB and the EU Commission for consideration when drafting guidance on supplemental measures for transferring data outside of the EU. These recommendations should also be considered when finalizing the updated SCCs to reflect the GDPR’s provisions and the CJEU’s requirements in the Judgment.
CIPL highlights that this Paper does not necessarily reflect a single standard market practice of organizations. It is intended to provide a broad spectrum of current and possible practices that more sophisticated organizations we work with are currently implementing or are considering implementing in the future. The practices we list should serve as a toolbox from which organizations can pick and choose appropriate measures to address the consequences of the Judgment in light of their specific situation and the context of their data transfers. This toolbox may be also very useful to smaller organizations with more limited resources. The EDPB should ensure that their guidance and recommended measures are scalable for smaller organizations.
Download the Paper
Download NowMore like this
DRAFT – Mapping Global CBPR (as Updated) and Global PRP Systems’ Program Requirements to the EU GDPR
Find out more
Key Takeaways: GDPR Procedural Regulation – One Year Later – Where Are We Now?
Find out more
The GDPR’s First Six Years: Positive Impacts, Remaining Implementation Challenges, and Recommendations for Improvement
Find out more
Bridging the DMA and the GDPR – CIPL Comments on the Data Protection Implications of the Draft Digital Markets Act
Find out more
GDPR Enforcement Cooperation and the One-Stop-Shop – Learning from the First Three Years
Find out more
How the “Legitimate Interests” Ground for Processing Enables Responsible Data Use and Innovation
Find out more
Data Subject Rights under the GDPR in a Global Data Driven and Connected World
Find out more
