In its “Schrems II” opinion issued July 16, the Court of Justice of the European Union did not reach any findings on the EU Commission's decisions 2001/497/EC or 2004/915/EC, i.e., the standard contractual clauses for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs:
- The additional measures for transfers under C2P SCCs also apply to transfers under C2C SCCs.
- Those additional measures for C2C transfers may be even more burdensome than those for C2P transfers because the level of protection afforded to data subjects under C2C SCCs seems to be lower than under C2P SCCs.
Companies will, therefore, need to evaluate each data flow under C2C SCCs, in particular with respect to the legal system of the third country, types of data transferred, type of recipient and types of data subjects. This is because “Schrems II” was not limited to data transfers to the U.S. but applicable to all data transfers to third countries outside of the EU/European Economic Area.
C2C SCCs are still valid
To be clear, at this time, C2C SCCs remain valid because “Schrems II” did not address them. As set out below, however, a risk exists that the CJEU may subsequently invalidate C2C SCCs if asked to weigh in on the question, taking into account its reasoning in “Schrems II.”
Additional conditions for data transfers under C2C SCCs
Considering the CJEU’s reasoning in “Schrems II,” it also seems unavoidable to apply the additional conditions for transfers under C2P SCCs to transfers under C2C SCCs. While Articles 46(1) and (2)(c) of the EU General Data Protection Regulation were analyzed by the CJEU only for C2P SCCs, they represent the same legal basis for transfers under C2C SCCs. Article 46(1) of the GDPR, moreover, specifically says that data transfers to a third country may only occur on the condition that data subjects have enforceable rights and legal remedies.
“In the absence of a decision pursuant to Article 45(3) [i.e. an adequacy decision by the EU Commission], a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
In light of the"Schrems II" decision, we must focus on two important requirements for cross-border data transfers that rely on SCCs: (1) appropriate safeguards; and (2) data subjects having enforceable rights and effective legal remedies available. This applies not only for future cross-border data transfers, but also to already ongoing data transfers. To determine whether data subjects have enforceable rights and effective legal remedies available, however, the CJEU now requires an assessment of the legal system of the third country and whether the data subjects are afforded a level of data protection essentially equivalent to the level of protection under the GDPR and the EU Charter of Fundamental Rights.
Assessment of the level of data protection in the third country
As covered in our guidance
