Taste SpreadAs the world becomes increasingly interconnected, it has become common for businesses to engage in cross-border data transfers. However, with the rise in data breaches and privacy concerns, there is growing concern about the security of these transfers. In response, the European Union (EU) has introduced measures to protect the privacy and security of data transfers, including the use of Standard Contractual Clauses (SCCs).
SCCs are standardized terms and conditions that companies can use to establish legally binding agreements for the transfer of personal data. SCCs were first introduced by the EU in 2001 and have since been updated to reflect changes in technology and privacy regulations.
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in the Schrems II case, which invalidated the EU-US Privacy Shield agreement, making SCCs the primary mechanism for cross-border data transfers between the EU and the rest of the world. The decision was based on concerns about US surveillance practices and the lack of adequate protection for EU citizens` personal data.
Following the Schrems II decision, the European Data Protection Board (EDPB) issued guidance on the use of SCCs. The guidance emphasized the need for companies to conduct a risk assessment of data transfers, taking into account the laws and practices of the country to which the data is being transferred. The guidance also highlighted the need for additional safeguards, such as encryption, to be put in place to ensure the security of data transfers.
On 4 June 2021, the European Commission adopted new SCCs that reflect the requirements of the General Data Protection Regulation (GDPR) and the Schrems II decision. The new SCCs provide more detailed provisions to ensure the consistency of data protection and facilitate compliance with the GDPR. The new SCCs also address the need for additional safeguards in the context of the Schrems II decision.
As of 27 September 2021, companies that transfer personal data outside the EU must use the new SCCs. Existing SCCs can still be used for up to 18 months, but companies must ensure that they are in compliance with the new requirements.
In conclusion, the use of SCCs is an important tool for protecting the privacy and security of cross-border data transfers. Companies should ensure that they are using the new SCCs and conducting a thorough risk assessment to comply with GDPR and the Schrems II decision. Failure to comply with these requirements can result in significant legal and reputational risks for companies.