The Schrems 2.0 opinion published on 19 December 2019 wasn't quite the bleak midwinter for international data transfers that many were expecting.
The advocate general in this case indicated in his opinion that the standard contractual clauses (SCCs) are valid, however he did express doubts about the EU-U.S. Privacy Shield.
The upshot? Businesses which transfer personal data overseas breathed an understandable, albeit temporary, sigh of relief. In most cases the court follows such opinions, so it looks likely that in the second half of 2020 the court will hold that there is still life in SCCs yet, but that there ought to be greater scrutiny of them.
The case is also likely to consider US transfers specifically and the Privacy Shield in more detail.
So what can you do now to prepare for the final outcome of this case and any unexpected developments in it? As noted in our recent article:
- Know your data flows. What countries outside the EEA are you sending personal data to? Check your records of processing. Are they vital to your business? What would happen if these flows were switched off? Are there any workarounds, ie, do you need to send this personal data or is there an alternative - such as by sending the personal data to a data centre in the EEA as opposed to a data centre outside the EEA
- What contingency plans do your suppliers and other key stakeholders have in place? What risk appetite do they have? Are they less or more willing to tolerate risk than you?
- Are BCRs an attractive proposition for your multi-national business?
- Are any of the derogations feasible for your business in the short, medium or long term?
- Is your board and senior management aware of the potential, albeit seemingly less likely, invalidation of SCCs? What resources does your business have to deal with this?
Finally, a happy New Year (and indeed decade) to all!
Whatever happens, the case is also a good opportunity to make sure that your business is complying with the principles of the GDPR generally, such as data minimisation: ensuring the personal data you are processing is adequate, relevant and limited to what is necessary. Do you really need to process certain personal data and then send it overseas? As always, the more you process, the more responsibilities you have to look after it.