In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy Shield Framework invalid in July. The political and legal focus remains on the so-called Standard Contractual Clauses, a set of terms to be implemented in private contracts, which expands many obligations under the GDPR to data importing entities in the U.S. and other countries outside the EU.
The court had also raised doubts about the compliance of the SCCs with EU laws, calling for an assessment of the level of data protection for each receiving country, and potential “supplementary measures” to protect privacy rights when transferring personal information to the U.S.
Guidance on SCCs by the EDPB is on the way
First, he emphasized the close cooperation of the Commission with the national Data Protection Authorities and their key role to “provide companies with guidance and support” in order to avoid fragmented interpretation in the EU member states. He called for concrete examples, helping companies to comply with the GDPR requirements. The EDPB had issued FAQ on the case and its implications for private business in July, however, left the question of “supplementary question” unanswered and subject to further guidance.
European Commission reveals timeline for new SCCs
Second, as already announced by EU Commissioner for Values and Transparency Věra Jourová right after the judgement was delivered on July 16, the Commission pushes for a modernization of the SCCs. According to Reynders, this process is a “top priority”. The launch of the adoption process is scheduled for next month, with “hope” to finalize the new set of SCCs “by the end of this year”.
Again, Reynders strained the needs of small and medium businesses. The SCCs would be “very useful” for SMEs, which had no resources and expertise to negotiate contracts with each of their commercial partners abroad.
EU-US talks on a new framework for international data transfers continue
Discussions with the US about a successor framework for the nullified EU-US Privacy Shield Framework continue in close cooperation, Reynders said. In August, he had already met U.S. Secretary of Commerce Wilbur Ross.
The Commission is apparently willing to find solutions to continue the free flow of data between the EU on the one side and the U.S. and other third countries (without an adequacy decision) which may also be affected by the new interpretation of the SCCs, such as China, Brazil, and potentially even the United Kingdom after January 1, 2021, given that talks on the trade agreement between the UK and the EU may not be finalized in time.
However, given the “sensitive issue of national security”, companies should not expect a “quick fix”, said Reynders. He repeatedly stressed the “complex nature” of the legal questions raised by the European Court of Justice.
The European Court of Justice already demanded for new agreements on the protection of personal data in 2015. The question remains how far the current U.S. government is willing to give in this time when it comes to regulations on surveillance measures by intelligence.