In its “Schrems II” opinion issued July 16, the Court of Justice of the European Union did not reach any findings on the EU Commission’s decisions 2001/497/EC or 2004/915/EC, i.e., the standard contractual clauses for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs:
- The additional measures for transfers under C2P SCCs also apply to transfers under C2C SCCs.
- Those additional measures for C2C transfers may be even more burdensome than those for C2P transfers because the level of protection afforded to data subjects under C2C SCCs seems to be lower than under C2P SCCs.
Companies will, therefore, need to evaluate each data flow under C2C SCCs, in particular with respect to the legal system of the third country, types of data transferred, type of recipient and types of data subjects. This is because “Schrems II” was not limited to data transfers to the U.S. but applicable to all data transfers to third countries outside of the EU/European Economic Area.
Click here to continue reading.
Note: This is the fourth in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.