Skip to main content

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

| Categories: General Obligations;

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy Shield Framework invalid in July. The political and legal focus remains on the so-called Standard Contractual Clauses, a set of terms to be implemented in private contracts, which expands many obligations under the GDPR to data importing entities in the U.S. and other countries outside the EU.

The court had also raised doubts about the compliance of the SCCs with EU laws, calling for an assessment of the level of data protection for each receiving country, and potential “supplementary measures” to protect privacy rights when transferring personal information to the U.S.

 

Guidance on SCCs by the EDPB is on the way

First, he emphasized the close cooperation of the Commission with the national Data Protection Authorities and their key role to “provide companies with guidance and support” in order to avoid fragmented interpretation in the EU member states. He called for concrete examples, helping companies to comply with the GDPR requirements. The EDPB had issued FAQ on the case and its implications for private business in July, however, left the question of “supplementary question” unanswered and subject to further guidance.
 

European Commission reveals timeline for new SCCs

Second, as already announced by EU Commissioner for Values and Transparency Věra Jourová right after the judgement was delivered on July 16, the Commission pushes for a modernization of the SCCs. According to Reynders, this process is a “top priority”. The launch of the adoption process is scheduled for next month, with “hope” to finalize the new set of SCCs “by the end of this year”.

Again, Reynders strained the needs of small and medium businesses. The SCCs would be “very useful” for SMEs, which had no resources and expertise to negotiate contracts with each of their commercial partners abroad.
 

EU-US talks on a new framework for international data transfers continue

Discussions with the US about a successor framework for the nullified EU-US Privacy Shield Framework continue in close cooperation, Reynders said. In August, he had already met U.S. Secretary of Commerce Wilbur Ross.

The Commission is apparently willing to find solutions to continue the free flow of data between the EU on the one side and the U.S. and other third countries (without an adequacy decision) which may also be affected by the new interpretation of the SCCs, such as China, Brazil, and potentially even the United Kingdom after January 1, 2021, given that talks on the trade agreement between the UK and the EU may not be finalized in time.

However, given the “sensitive issue of national security”, companies should not expect a “quick fix”, said Reynders. He repeatedly stressed the “complex nature” of the legal questions raised by the European Court of Justice.

The European Court of Justice already demanded for new agreements on the protection of personal data in 2015. The question remains how far the current U.S. government is willing to give in this time when it comes to regulations on surveillance measures by intelligence.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...

Read

GDPR Enforcement: The Real Risks of Non-Compliance

Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of...

Read

GDPR Compliance in Email Marketing

“Don’t miss out on the latest deals”, “subscribe to our newsletter”, “get exclusive offers and personalized tips for shopping” – for many businesses, e-mail marketing is still the primary and most effective customer acquisition channel. Collecting email addresses and sending direct marketing...

Read