International Data Transfers Under The GDPR: From Schrems To The New Standard Contractual Clauses And The EDPB Recommendations

• Published date: 30 June 2021
• Subject Matter: Privacy, Compliance, Data Protection, Privacy Protection
• Law Firm: Nicholas Ktenas & Co Ltd
• Author: Mr Nicholas Ktenas

1. Introduction

In the absence of an "adequacy decision" by the Commission that a particular third country ensures an adequate level of protection under the General Data Protection Regulation (GDPR), standard data protection clauses adopted by the Commission in accordance with the Regulation are widely as legal grounds for data transfers from the EU to third countries.

On 4^th June 2021, by its Implementing Decision (EU) 2021/914 (CID (EU) 2021/914) the European Commission published new modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These new SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46, which were in effect "grandfathered" into the GDPR and continued to be relied upon for international transfers after the GDPR came into effect on 25^th May 2018.

The new SCCs will enter into force on 27/6/2021 and organizations may begin incorporating them into new contracts after this date. However, according to the Implementing Decision organizations may continue signing the old SCCs in new agreements until 27/9/2021, and by 27/12/2022 they must introduce the new SCCs into agreements that relied on the old SCCs, "provided the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards" (Article4(4)).

No doubt the new SCCs are a long-anticipated update in this area, particularly welcome by the international business community and especially organizations and privacy practitioners in the EU. But to understand the reasons behind the adoption of the new SCCs and their importance it is necessary to consider the historical background and how the legality of international data transfers under the old SCCs was viewed by the CJEU after the GDPR came into effect. It should, however, be noted that of no less importance to CID (EU) 2021/914 is the European Data Protection Board's updated Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0, adopted on 18 June 2021, also discussed below.

2. The Schrems Rulings

Case C-362/14 (Schrems I) challenged the Irish DPC's refusal to investigate a complaint by an Austrian privacy advocate, Max Schrems, asking the DPC to suspend data transfers from Facebook Ireland to Facebook Inc due to Mr. Schrems' concern that his personal data could be accessed by U.S. intelligence authorities and that his EU data protection rights would be violated. The CJEU invalidated the "Safe Harbor" arrangement, which permitted the transfer of personal data from the EU to the US since 2000, because the arrangement failed to provide the requisite legal protection under Directive 95/46/EC. As a result, in February 2016 the European Commission and the US government reached a political agreement for the implementation of a new legal framework for data transfers from the EU to the US, called the "EU-U.S. Privacy Shield", which was shortly after followed by an adequacy decision.

However, on 16^th July 2020 a further ruling of the CJEU in C-311/18 (Schrems II), invalidated the Commissions' adequacy determination for the EU-U.S. Privacy Shield and questioned the validity of processing activities involving the transfer of personal data outside the EEA, emphasizing the need for an updated, user-friendly tool for organisations to rely on to ensure compliance of such data transfers with the requirements of the GDPR.

Schrems II concerned a reformulated complaint to the Irish Data Protection Commissioner by Mr. Schrems in 2015 that the transfer of his personal data from Facebook Ireland to its parent company in the US, made on the basis of the SCCs, did not protect his fundamental rights under EU law, given the...