The Schrems II Decision is a key ruling by the Court of Justice of the European Union (CJEU), in July 2020 they declared that Privacy Shield, the EU-US personal data transfer mechanism, was no longer lawful. This decision will have significant impacts on EU-US data transfers, and many organizations will need to update their programs to rely on alternative transfer mechanisms.
In compliance with the GDPR, when transferring personal data from an EU country to a country that does not have a confirmed adequacy status for their level of personal data protection (known as a third country), you must employ a transfer mechanism that demonstrates protection to the equivalent. This is what makes the data transfer legal.
The Schrems II decision specifically looked at Privacy Shield and Standard Contractual Clauses (SCCs). While Privacy Shield has been invalidated, SCCs still remain a valid, legal mechanism for data transfers, although they must now be taken on a case-by-case basis.
In short, yes, SCCs are still a valid data transfer mechanism. However, they must be considered on a case-by-case basis, the data exporter and the importer have to take into account whether an adequate standard of protection can be provided in the third-party country the data is being transferred to. It is also the responsibility of the importer to inform the exporter if they are unable to meet the terms of the SCC.
The Schrems II Decision will have a direct impact on your organization if relying on Privacy Shield or SCCs for data transfers. After the July ruling, there was no grace period given before Privacy Shield was invalidated, so organizations are required to pivot their affected transfers to rely on valid mechanisms.
Based on regulatory guidance and deep privacy research, OneTrust’s privacy, security, and data governance solutions are optimized to support organizations as they assess and adapt their programs.
OneTrust’s Schrems II Solutions support organizations operationalize a range of functions, including:
Data Mapping Automation: Map discovered data, identify, assess and document transfer mechanisms, and link to vendors
Third-Party Risk Management: Assess vendors who rely on SCCs, manage on-boarding and off-boarding, alongside other contract updates
Third-Party Risk Exchange: Leverage pre-completed vendor assessments and chasing services
DataGuidance Research: Stay up to date with the latest Schrems II guidance and compare adequacy decisions around other third countries