Guidance for Navigating International Transfers & Schrems II
Latest Guidance and Information for Companies Navigating
International Transfers and the Schrems II Ruling
- The Updated EDPB Recommendations on Transfer Safeguards
- Applying the New SCCs – International Transfers Defined? Making sense of what actually constitutes an international transfer.
- European Commission Adopts New Standard Contractual Clauses
- EU International Data Transfers: What We Know Now Our November 19th update on what we know now.
- Schrems-II: Where Are We Now? Our September 9th update on the Schrems-II decision.
- Top Ten Frequently Asked Questions about the Schrems II Decision.
- Our analysis of the implications of the recent Schrems II decision on Privacy Shield and SCCs.
- Schrems-II: The Day After, our analysis after authorities weigh in on CJEU decision.
- Schrems-II: Further Analysis A closer look at the Core Elements of the Verdict.
Understanding International Transfers
What constitutes an international transfer from the EU to third countries? For almost five years, privacy professionals have struggled with international transfers of personal data originating in the EU. The two Schrems decisions have brought some clarity – no international transfer may undermine the level of data protection offered under GDPR and that essentially equivalent protection is required.
The new Standard Contractual Clauses (SCCs) adopted on June 4th, 2021 do include some indications on how to look at data transfers going forward.
International Transfer Package
Understanding the risks of your international transfers is complicated, nuanced and time consuming. TrustArc’s automated approach combines deep regulatory understanding and expert risk analysis. Bringing regional transfer assessments into the modern age.
The International Transfer Package helps organizations:
- Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
- Conduct data transfer and risk threshold assessments
- Leverage templates that help operationalize regulatory requirements and trigger compliance mechanisms
Regulator Resources
Interested in seeing how regulators are reacting to the Schrems-II decision?
Click through to review the regional Data Protection Authorities’ guidance and download the entire chart below. Where applicable, see regional regulator responses including their overall comment, specific Privacy Shield comment and guidance on SCC assessments.
European Union
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
EUROPEAN DATA PROTECTION SUPERVISOR (EDPS) | The verdict of the Court reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. The EDPB expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. | This is the second time in almost 5 years that a European Commission adequacy decision concerning the United States is invalidated by the Court. In its judgement, the Court confirmed the criticisms of the Privacy Shield repeatedly expressed by the EDPS and the EDPB. European supervisory authorities will advise the Commission on any future adequacy decisions, in line with the interpretation of the General Data Protection Regulation (GDPR) provided by the Court. | |
|
EUROPEAN DATA PROTECTION BOARD (EDPB) | Factual statement on the verdict – no information on enforcement or advice on transfers; further analysis to follow. |
The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S. |
The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority. |
|
Joint Press Statement from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross – European Commission |
The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades. | ||
|
Joint statement by Chair of the Committee of Convention 108 and Data Protection Commissioner of the Council of Europe |
Some influential voices have been calling, in the aftermath of the Schrems II decision, for a legally binding international agreement for the protection of privacy and personal data. This instrument exists: it is Convention 108+ The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (more commonly known as “Convention 108”) 4 is the only legally binding multilateral instrument on the protection of privacy and personal data open to any country in the world. |
|
|
United States
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Joint Press Statement from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross – European Commission |
The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades. | ||
|
U.S. Department of Commerce | EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. | Organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. | For help determining the most appropriate data transfer mechanism for an organization, please contact the European Commission, the appropriate European national data protection authority or legal counsel. |
Austria
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Austrian Data Protection Authority | No statement yet |
Belgium
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Authority | Refers to EDPB official information |
Bulgaria
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Commission for Personal Data Protection | Factual statement on the verdict – no information on enforcement or advice on transfers |
Croatia
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Agency | Factual statement on the veredict – no further guidance |
Cyprus
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Commissioner for Personal Data Protection |
No statement yet |
Czech Republic
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Office for Personal Data Protection |
Factual statement on the verdict – no information on enforcement or advice on transfers |
Denmark
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Danish Data Protection Agency |
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance | This means that in future no personal data can be transferred to the United States using the Privacy Shield. Privacy Shield is a special scheme based on the EU Commission Decision 2016/1250, which has previously made it possible to transfer personal data from the EU to companies in the USA that had joined the scheme. |
Estonia
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Estonian Data Protection Inspectorate |
Factual statement on the verdict – When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country’s adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission’s data protection clauses themselves. The assessment must determine whether the protection of Europeans’ personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found. | From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which has been set by the European Commission. Other safeguards can be used in the articles of the General Data Protection Regulation (GIP). |
Finland
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Authority |
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance |
France
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Commission Nationale de l’Informatique et des Libertés |
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance | The CJEU invalidated the “Privacy Shield” adequacy decision, adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor”, which allowed the transfer of data between the EU and US companies adhering to its data protection principles. |
Germany
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Commissioner for Freedom of Information |
Reliance on the Privacy Shield is no longer possible for transfers to the U.S. The use of SCCs requires special safeguards to be taken for the data exchange with the U.S. | Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice. | The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities. The BfDI will issue a further statement after the publication of the entire judgment and the deliberations in the European Data Protection Board. In this context, the focal point will be the revision of the standard contractual clauses by the European Commission, as well as the need for the USA to ensure that the European people enjoy the same fundamental rights as US-nationals. |
|
Press release from the Conference of Independent Data Protection Supervisors | The European Court of Justice declared Privacy Shield invalid because the US law assessed by the CJEU does not Offers a level of protection that is essentially equivalent to that in the EU | The transfer of personal data to the USA on the basis of privacy Shield is not permitted and must be discontinued immediately. |
For a transfer of personal data to the USA and other third countries the existing standard contractual clauses of the European Commission basically continue to be used. However, the ECJ emphasized the responsibility of the Responsible persons and the recipient to assess whether the rights of the persons concerned enjoy the same level of protection in the third country as in the Union. Only then can be decided whether the guarantees from the standard contractual clauses in the Practice can be realized. If not, it should be checked what additional measures to ensure a level of protection in the EU essentially equivalent levels of protection can be taken. |
|
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (Baden-Württemberg) |
All third country transfers must be assessed on a case by case basis to determine the legal situation in these countries (i.e. potential for public authority access to transferred data and ability of data subjects to obtain recourse for damages), and most appropriate transfer mechanism (SCCs, derogations, adequacy decisions); where service providers or contractual partners cannot provide adequate protection levels (e.g. SCCs cannot be modified to add increased protections) and are replaceable, data transfers to these recipients are prohibited. | The CJEU declared the Shield invalid, finding that: US authorities have extensive access to personal data of European citizens; and there are insufficient protections for fundamental data protection rights. Personal data transfers to the US can no longer be made under this legal basis. |
Data exporters must: *Check, on a case-by-case basis, that third countries offer appropriate levels of protection for transferred data; *Take additional measures to guarantee appropriate protections: if measures cannot be put in place, the transfer must be terminated or suspended. *Speak with data recipients to determine if SCC provisions can be modified, particularly Annex Clauses: 4f – informing affected individuals about transfers of special category data that may not have adequate protection levels; 5d – include legal recourse against disclosures or access to personal data to public authorities; 5d(i) – duty of data importers to immediately inform data subjects of all legally binding requests from enforcement authorities to access personal data; and 7 1(d) – referral to EU courts for disputes of third party beneficiary rights and claims for damages. |
|
Bavaria State Office for Data Protection Supervision (Bavaria – Private Sector) |
No statement yet | ||
|
Bavarian State Commissioner for Data Protection (Bavaria – Public Sector) |
No statement yet | ||
|
Berlin Commissioner for Data Protection and Freedom of Information (Berlin) |
Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically call our China, Russia, and India as countries for which there will be similar problems for data transfers. | ||
|
The state representative for data protection and for the right to inspect files in Brandenburg (Brandenburg) |
No statement yet | ||
|
The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen (Bremen) |
No statement yet | ||
|
Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg) |
Would have like to seen that the CJEU had also invalidated SCCs as a means for transfer to the U.S., since the risks and safeguards for Privacy Shield and SCCs are the same. Expects hard times for all international data transfers. | Data protection supervisory authorities in Germany and Europe must now swiftly come to a common understanding on how to deal with companies that are now illegally continuing to rely on the Privacy Shield. | Both the proportionality of access by the authorities and the guarantee of functioning legal protection must be demonstrated by the exporter to his local data protection authority on request. |
|
The Hessian Data Protection Officer (Hessen) |
No statement yet | ||
|
State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern (Mecklenburg-Vorpommern) |
Only a link to the CJEU press release on the DPA website press page | ||
|
The State Commissioner for Data Protection Lower Saxony (Lower Saxony) |
No statement yet | ||
| State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (North Rhine-Westphalia) |
No statement yet | |||
|
State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (Rhineland-Palatinate) |
The Court has made clear data controllers have a strong responsibility to verify the actual legal situation in a third country before transferring personal data. Just signing the SCCs is not enough. If the requirements of EU data protection law cannot be met, the transfer must be stopped. | The CJEU declared the EU-US Privacy Shield invalid, which is therefore no longer the legal basis for data transfers to the USA. | The CJEU has clarified that companies cannot free themselves from their audit obligations by using the standard contractual clauses,” explains Professor Kugelmann. “The ball is now in the field of those responsible. They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data. If the data recipients are subject to the legal rules of their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses. |
|
State representative for data protection and freedom of information (Saarland) |
No statement yet | ||
|
Saxon Data Protection Officer (Saxony) |
|||
|
State Commissioner for Data Protection Saxony-Anhalt (Saxony-Anhalt) |
No statement yet | ||
|
Independent state center for data protection in Schleswig-Holstein (Schleswig-Holstein) |
No statement yet | ||
|
Thuringian State Commissioner for Data Protection and Freedom of Information (Thuringia) |
As yet it is unclear, how SCCs can still be used for data transfers to the U.S., given the extensive criticism voiced by the Court on the national surveillance legislation. | If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, an EU data protection compliant Test result should come to. |
Greece
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Hellenic Data Protection Authority | No statement yet |
Hungary
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
National Authority for Data Protection and Freedom of Information |
Links to the CJEU press release on the DPA website front page |
Ireland
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Commission | The application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. The DPC also refers to the EDPB for further joint guidance, while welcoming the clarity brought by the verdict on various points of principle. |
Italy
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Garante per la Protezione dei Dati Personali |
Adheres to the EDPB FAQ |
Latvia
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data State Inspectorate |
Adheres to the EDPB plenary statement, no own guidance |
Lithuania
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
State Data Protection |
Factual Statement with reference to further EDPB guidance. |
Luxembourg
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
National Commission for Data Protection |
CNPD welcomes the judgment; will work with EDPB counterparts on further guidance. |
Malta
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Information Data Protection Commissioner |
No statement yet |
Netherlands
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Autoriteit Persoonsgegevens |
Mainly factual statement. Up to European Commission to come up with a solution. |
Norway
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | ||
 |
Data Protection Authority |
|
Poland
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Inspector General for the Protection of Personal Data – GIODO |
Controllers need to carry out an individual assessment of the level of data protection ensured as part of cross-border data transfers, which must take into account not only the contractual provisions agreed between exporters and importers of data, but also legal provisions in a third country, in particular regarding possible access by authorities public authority of that country to the data transmitted. Further guidance will follow via the EDPB. | Personal data can no longer be transferred to the U.S. on the basis of the Privacy Shield from the date of the verdict onwards (16 July). |
Portugal
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
National Commission for Data Protection |
No statement yet |
Romania
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
National Supervisory Authority for Personal Data Processing |
Factual statement; suggests to look at alternative transfer mechanisms (SCCs, BCRs, derogations) for U.S. data transfers to replace Privacy Shield as a legal basis |
Slovakia
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Office for Personal Data Protection |
Factual statement on the verdict – no information on enforcement or advice on transfers |
Slovenia
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Office of the Information Commissioner |
The EU Court of Justice annulled t. i. privacy shield, and organizations are given other listed data transfer mechanisms to take care of as soon as possible. Disclosures of personal data are still possible, provided that the controller of the personal data itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they are responsible for assessing the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the U.S. and have so far relied on the recipient to be a company that can be found at t. i. in the Privacy Shield list, they must ensure as soon as possible that the transfers are justified on another basis (eg standard contractual clauses, binding business rules, exceptions). Otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the predecessor of the Privacy Shield was annulled by the Court of Justice of the European Union, i.e. safe harbor agreement, organizations have often based data transfers in the U.S. on standard contractual clauses they have entered into with partner organizations. |
Spain
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Spanish Data Protection Agency (AGPD) |
No statement yet | ||
|
Basque Data Protection Agency |
No statement yet | ||
|
Catalan Data Protection Authority |
No statement yet |
Sweden
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Inspection Board |
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance |
EUROPEAN ECONOMIC AREA
Iceland
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Authority |
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance |
Liechtenstein
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Data Protection Office |
However, the European Court of Justice also made clear in its ruling that data can still be transferred to the USA on the basis of other suitable guarantees under Art. 46 ff. GDPR, in particular also on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible now have to rely on such instruments. The data protection agency has published a compilation of the requirements and various suitable guarantees for data transfers to third countries on its website. |
Norway
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
|
Data Protection Authority |
The Schrems II ruling was actually about whether Facebook could transfer information about users in Europe to the United States. The Court also took the opportunity to comment on transfers to third countries in general. It concluded that the transfer basis known as the Privacy Shield is no longer valid. There are still other valid transfer bases, but the court said that using such bases in itself is not enough. | The additional requirements of the European Court of Justice have already begun to apply, and it is also no longer possible to use the Privacy Shield as a basis for transfer. The requirements apply to both new and existing transfers. | It is no longer sufficient to use a valid transfer basis such as the European Commission’s standard contractual clauses or binding corporate rules (BCR). |
OTHER RELEVANT JURISDICTIONS
New Zealand
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Privacy Commissioner |
The Court considered that certain programmes enabling access by US authorities to personal data transferred from the EU for national security purposes create limits on the protection of that personal data. These limits mean there is a lack of protection that is “essentially equivalent” to EU law, and that data subjects do not have actionable rights before the courts against US authorities. | Transfers of personal data from the EU to New Zealand are conducted on the basis of the adequacy decision in place (article 45 of the EU General Data Protection Regulation). The European Commission formally ruled in December 2012 that New Zealand’s privacy law provided an ‘adequate level’ of privacy protection to meet European standards. |
We will also be considering the decision in Schrems II as we develop model contract clauses under the new Privacy Act 2020. Now that the new Privacy Act 2020 has been passed (coming into force on 1 December 2020) New Zealand has new limits on international transfers of personal information (new IPP 12). |
Switzerland
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Federal Data Protection and Information Commission |
After closely analysing the regime, the FDPIC concludes in his position paper of 8 September 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP). | Switzerland is not a member of the EU and is not legally bound by the CJEU decision, however: Swiss companies must assume that foreign authorities may require them to observe EU law when exporting personal data. | In many cases, standard contractual clauses (“SCCs”) and comparable provisions will not meet requirements in article 6 for data transferred to non-listed countries: they do not prevent foreign authorities from accessing personal data if the country’s public law: takes precedence; and allows official access without transparency and legal protections for concerned individuals. |
United Arab Emirates
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Dubai International Financial Centre |
DP Assessment Tool – Data Export and Sharing. |
As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office. |
Special Note about Privacy Shield: Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield. |
United Kingdom
| Entity/Region | Comment | Specific Statement on Privacy Shield | Guidance on SCC Assessments | |
 |
Information Commissioner |
The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy. |
The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK. |
Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this. |
TrustArc Resources
FAQs
- FAQS: Schrems-II Decision – Privacy Shield & SCCs. Answers to Your Most Pressing Privacy Shield & SCC Questions.
- FAQS: Standard Contracutal Clauses (SCC’s). On June 4, 2021, the European Commission formally adopted new Standard Contractual Clauses (“SCCs”) after many years of outdated SCCs.
Webinar
Watch the on-demand webinar “The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent” as we discuss the implication of the recent Schrems II decision, the status of Privacy Shield and how to navigate these significant changes. The EDPB has guidelines on cookie consent and how these guidelines impact your organization.
