The United States and the European Commission have reached a deal in principle regarding the transfer and storage of European data on U.S. soil. Data privacy experts warn that the commitment may be too vague to maintain cybersecurity standards.
Earlier this month, the European Commission announced that it has adopted “two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries.” The new SCCs take into account new requirements under the General Data Protection Regulation as well as the Court of Justice’s Schrems II opinion.
Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.
As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.
In the wake of Schrems II, the EDPB’s much-anticipated recommendations provide extensive guidance on supplementary measures parties can use to legally transfer data out of the EEA in the absence of an adequacy decision.
In a flurry of activity last week, the European Data Protection Board (EDPB) and the European Commission made major announcements affecting cross-border data transfers out of the EEA. First, the EDPB announced the adoption of draft recommendations on measures that supplement cross-border data transfer tools as well as recommendations on the European Essential Guarantees for surveillance measures. The below post will examine the EDPB’s draft recommendations on supplementary measures. The draft new standard contractual clauses will be discussed in a separate post.