Lawyer Monthly - November 2021 Edition

WWW.LAWYER-MONTHLY.COM | OCT 2021 74 THOUGHT LEADER - THOMAS OLSEN Schrems II: The Implications for Data Transfers and Standard Contractual Clauses Protection Board (EDPB) issued its much- awaited updated recommendations on the Schrems II decision and data transfers under the GDPR. The guidance was published following a public hearing on a first draft issued in November 2020. Despite heavy markup to accommodate many critical comments, the latest guidance maintains the six- step approach to carrying out a transfer impact assessment and sets a very high bar for using SCC and binding corporate rules (BCR) as a legal basis for transfers to the US and other third countries. to assess the surveillance and security laws of the third countries they transfer personal data to. If there are problematic laws or practices in the country of destination, e.g. on third country government binding requests or direct monitoring of data, they would need to stop transferring personal data, e.g. move data processing to the EEA or terminate the agreements with the relevant service providers, unless they are able to establish efficient supplementary measures against the laws or practices. To be efficient, such measures would typically need to involve pseudonymization or encryption managed by the customer or a third party. Due to the stricter transfer requirements, most companies will need to make changes to their business processes and/or use of providers. For some companies, Schrems II has probably had a greater impact than the introduction of the General Data Protection Regulation (GDPR) itself. What is the most recent guidance that the EDPB has issued regarding data transfers? On 18 June 2021, the European Data In brief, what was the Schrems II decision and how has it had such a widespread effect on international data transfers? In a landmark ruling on 16 June 2020 (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillan Schrems (Schrems II)), the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield with immediate effect. From the point of announcement, a large number of organisations on both sides of the Atlantic lacked a legal basis for their transfers of personal data from the from the EEA to the US. However, the most significant effect of the Schrems II ruling is arguably related to the much-used EU standard contractual clauses (SCC) adopted by the EU Commission, which is also the most obvious alternative to the EU-US Privacy Shield for transfers to the US. While the CJEU found the SCC still valid, in order for the data exporter and data importer to rely on SCC they must verify that there is no reason to believe that any laws or practices applicable to the data importer hinders the data importer in fulfilling its obligations under the SCC. Thus, the CJEU has put a heavy burden on businesses For some companies, Schrems II has probably had a greater impact than the introduction of the General Data Protection Regulation (GDPR) itself.