In the wake of the recent Court of Justice of the European Union’s decision in Schrems II, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs met in early September to discuss the long-awaited revision of Standard Contractual Clauses (SCCs). During the meeting, Commissioner for Justice Didier Reynders expressed hope that revised SCCs would be finalised by the end of 2020.
While this is welcomed news for privacy professionals, it is yet to be determined what form these revised SCCs will take and the extent to which they will address the Schrems II judgment. Once the revised SCCs are released, companies will need to determine the best way to implement them for cross-border data transfers between intra-group affiliates as well as third parties.
Following the Schrems II judgment, subsequent guidance by the European Data Protection Board (EDPB) and the recent U.S. Government White Paper on U.S. Privacy Safeguards Relevant to SCCs after Schrems II, companies who engage in cross-border data transfers between the EU and third countries will need to carry out a Schrems II privacy impact assessment in order to assess the laws in the third country where the personal data is being transferred to (e.g. the U.S., China, India, Russia etc.) and determine whether any supplementary protections are required to be put in place in addition to SCCs. Further guidance on these supplementary protections is expected to be published by the EDPB in the coming months.