Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

International Data Transfers post Schrems – Moving Towards Solutions

International data transfers are both essential for the modern world and a major source of risksto the protection of personal data. In this, we can speak of a clash between an important multifacetedobjective and the protection of a complex fundamental human right with implicationsgoing far beyond that right itself.The goal must be to facilitate data privacy respecting international data transfers. However,agreement on this goal – even if widespread – does not necessarily signal agreement on how wereach that goal. To make progress, we must proceed with caution and yet avoid getting boggeddown in the unavoidable challenges, such as definitional challenges, we will face.This article canvasses a selection of key considerations that ought to be kept in mind whenwe discuss approaches to international data transfers. However, to prepare ground for that discussion,it first sets the scene by examining the so-called Schrems II decision, its larger contextand background, as well as some of the reactions we have seen to that decision.

Regulation of International Data Transfers in Clouds

This chapter studies the regulation of international data transfers in clouds. The General Data Protection Regulation (GDPR) stipulates that any transfer of personal data from the European Union (EU) (as well as other European Economic Area (EEA) countries) to a third country or an international organisation is subject to restrictions to ensure that the level of protection provided by the GDPR is not undermined. The GDPR requires either adequate protection or appropriate safeguards for transfers of personal data to third countries. When assessing a data transfer to a third country, a number of factors must be considered. First, it is necessary to establish whether the processing of personal data falls within the scope of the GDPR. Second, the GDPR may apply either to the cloud provider or its customer, or to both. Third, it is necessary to establish when a 'transfer' of personal data from an EU Member State to a third country is taking place and how the protection of the data can be ensured. Fourth, in some circumstances, there may be an exception to the requirement to ensure continued protection following a data transfer.

Las decisiones de adecuación en el Derecho europeo relativas a las transferencias internacionales de datos y los mecanismos de control aplicados por los estados miembros = Adequacy decisions in European Law related to international data transfers and control mechanisms applied by the member states

Resumen: La nueva legislación europea ha traído consigo un régimen sobre transferencias inter­nacionales de datos mucho más desarrollado que la Directiva 95/46/CE, y de ello debemos destacar el nuevo régimen de la decisión de adecuación y la influencia de la STJUE Schrems en dicha redacción. El objetivo de este nuevo régimen es supervisar que todo país, sector u organización internacional de­clarado como “adecuado” lo continúe siendo a lo largo del tiempo, y si no fuera así, tomar medidas para resolver la situación.Palabras clave: decisión de adecuación, RGPD, transferencia internacional de datos, Schrems.Abstract: The new legislation has brought with it a regime on international data transfers that is much more advanced than Directive 95/46/EC, and we must highlight the new regime of the adaptation decision and the influence of RCJEU Schrems in that wording. The objective of this new regime is that the entire country, the sector or international organization declared as “adequate” continue to be so over time, and if not, take measures to fix the situation.Keywords: adequacy decision, GDPR, international data transfer, Schrems.