SCC guidance in wake of Schrems II decision landing 'very soon,' EU official says

European data regulators will issue guidance “very soon” on how EU-based data exporters should implement a landmark EU court decision that puts new obligations on those exports, a senior EU official said.

The guidance is needed after the European Court of Justice annulled the EU-US Privacy Shield on July 16 and imposed requirements on the use of Standard Contractual Clauses, a widely used data transfer mechanism. Companies are now scrambling to find a legal basis to transfer personal data outside of the EU.

“Everyone understands that this is a period of uncertainty and that’s why indeed we will come with the SCCs in two to four weeks, and it’s rather two rather than four weeks,” Bruno Gencarelli, a senior European Commission official, said during an MLex webinar*.

He said the European Data Protection Board, an umbrella group of the EU data protection authorities, will issue guidance “very soon” on “supplementary measures” that companies can take to ensure that transferred data is protected.

Even though the EU court upheld SCCs, the judges imposed strict conditions on their use. Data exporters must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data.

The EDPB has created two task forces to deal with the consequences arising from the Schrems decision. The first will discuss how best to handle more than 100 complaints filed by a privacy-advocacy group across the EU. Another group will explore what new supplementary measures might be needed to ensure adequate protection of data when it’s transferred outside of the EU.

Gencarelli stressed that the Schrems II judgment isn’t about a “binary approach” of whether a company can or cannot transfer data to a certain country. According to the EU’s General Data Protection Regulation, data transfers under SCCs must be assessed on a case-by-case basis, he said.

“It's about considering all the relevant circumstances of data transfer,” he said, adding that may include the nature of data, the identity of the addressee of the transfer, and the laws under which the addressee may or may not be subject to.

“On the basis of that assessment, you can decide which transfer tool to use or whether you want to use a certain transfer method,” he said. “And if you have identified a risk, a certain risk, whether you need or not, to put into place certain additional safeguards to address and to limit that risk. That’s really our starting part.”

The guidance will provide companies with a “methodology” and a “toolbox” for that risk assessment, Gencarelli said.

Thomas Boué, policy director at the BSA | The Software Alliance, which represents tech companies such as Microsoft, Symantec and Workday, said companies could use technical measures, such as encryption, to safeguard data, or adopt organizational structures, including being transparent about the volume and nature of requests from government authorities when legally permitted.

He said technical measures such as encryption “may work in some cases, but not in others” and that there is no “silver bullet” to address data-transfer risks.

“There's no one size fits all,” he said. “It cannot be happening across the board. It's going to have to be for each transfer that the company is exporting and the company is importing. They will have to look at all these and what are the best safeguards possible.”

Alex Greenstein, director of the Privacy Shield at the US Department of Commerce, said the US government is focused on providing support to US companies that want to use SCCs.

“This is also something that the US government is very much focused on to support US companies to utilize the SCCs following the Schrems ruling,” he said.

The Department of Commerce has released a white paper on trans-Atlantic data flows with explanations about US law and practices that want to use SCCs, he said, adding that doing the risk assessment is a burden on small companies.

The US government wants to continue talks with the EU on finding a new agreement to replace the Privacy Shield, which is used by more than 5,300 companies, 70 percent of which are small companies, he said.

— California’s Proposition 24 —

One week from today, California voters will decide Proposition 24, a ballot initiative that would update California’s existing privacy law to create the first standalone US data protection authority, the California Privacy Protection Agency.

The initiative’s chief proponent, Alastair Mactaggart, says that if the proposed California Privacy Rights Act is approved by voters, California would have the legal basis to seek data protection adequacy from Europe, meaning data transfer schemes such as Privacy Shield would no longer be necessary.

“Overtly the intention is to essentially recreate GDPR here” in California, Mactaggart told MLex in an interview this week. Mactaggart said adequacy could drive the construction of data centers in California, and it would force other US states to pass similar privacy laws to keep pace. “That’s always been part of our vision,” he said.

Gencarelli said today that he wanted to take pains to not opine on an election in California, but that European officials would be willing to open a dialogue about adequacy should California seek that status under the new law.

“If California would be interested in entering into such talks, of course, we would look at that,” Gencarelli said, saying the vote is being followed with “a lot of interest” in Europe.

Adequacy for California, however, is a long-term shift that would not be a potential solution to the Schrems II decision, said Greenstein.

“The United States has a national discussion ongoing about privacy issues and the need for baseline privacy legislation. But I would say that that is a separate question from how we respond to Schrems,” he said.

*"Crafting a solution to Schrems II. Is a permanent fix possible?" Data Protection World Forum and MLex. Oct. 27, 2020