A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision

On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts organizations engaging in international data transfers under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organizations). Organizations are currently working hard to implement the requirements of the Judgment by assessing and revisiting current data transfer practices, switching or reinforcing data transfer mechanisms, introducing new organizational and technical controls and strengthening existing policies.

CIPL strongly believes that the EDPB guidelines must be informed by the reality of data transfers, global interconnected business processes and services, and best practices that companies are implementing to address the CJEU requirements. It is essential that the EDPB engages proactively with stakeholders and open these guidelines to public consultation during their development phase.

This paper highlights that the Judgment impacts not only transfers to the US, but also all data transfers from the EU to the rest of the world.

Download the Paper

Download Now