Last July you will recall that in the Schrems II Case (“Schrems”) the Court of Justice of the European Union (“CJEU”) invalidated the European Union/United States (“EU/US”) Privacy Shield framework, while also reiterating that companies could rely on the standard contractual clauses (“SCC”s).  However, the CJEU also made clear that transfers of personal data from the European Economic Area (“EEA”) to non-adequate countries were not always permissible, requiring supplemental measures and in some cases transfer impact assessments.

In order to address the Schrems II holding and to improve ill-adapted SCCs that pre-dated the General Data Protection Regulation (“GDPR”) amid an exponential increase in cross-border transfers, the European Commission adopted two new sets of SCCs June 4, 2021:  Third Country Transfer SCCs and Controller-Processor SCCs.  As detailed below, these new SCCs must be used commencing September 27, 2021, for all new data transfers.  Companies have until December 27, 2022 to amend contracts for data transfers that previously were made under the old SCCs.
Continue Reading Addressing Data Transfers from the European Union Starting September 27, 2021

As we all know, the EU-U.S. Privacy Shield framework, the cross-border transfer mechanism relied upon by over 5,000 U.S. entities until just over a month ago, was recently invalidated by the CJEU in the Schrems II case (see here for our last post following the ruling). So what next?
Continue Reading Addressing Cross-Border Transfers from the EU Following the Schrems II Ruling