On September 3, 2020, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament held a meeting to discuss the future of EU-U.S. data flows following the Schrems II judgment of the Court of Justice of the European Union (the “CJEU”). In addition to Members of the European Parliament (“MEPs”), the meeting’s participants included Justice Commissioner Didier Reynders, European Data Protection Board (“EDPB”) Chair Andrea Jelinek and Maximilian Schrems. Importantly, Commissioner Reynders stated during the meeting that the new Standard Contractual Clauses (“SCCs”) might be adopted by the end of 2020, at the earliest.
Below are additional takeaways from the LIBE Committee meeting:
- The European Commission will work closely with EU data protection authorities (“DPAs”) to ensure a coordinated response to the CJEU ruling. According to Commissioner Reynders, the Commission will focus its work on three main areas: (1) working with national DPAs and the EDPB on developing further guidance for companies addressing the transfer of personal data outside of the European Economic Area (“EEA”); (2) modernizing the SCCs; and (3) working together with its U.S. counterparts on a potential, strengthened framework for transfers of personal data between the EEA and the U.S.
- Regarding the modernization of the SCCs, Commissioner Reynders stated that a first draft should be available this month. The European Commission is hoping to launch the adoption process soon and to finalize the SCCs by the end of 2020. Notably, from a procedural perspective, the adoption of new SCCs requires the opinion of the EDPB and a positive vote from EU Member States.
- According to Commissioner Reynders, there are three areas for improvement regarding the SCCs: (1) the SCCs must be updated in light of the new requirements introduced by the EU General Data Protection Regulation (“GDPR”), including the requirements of Article 28 and the transparency requirements; (2) the new SCCs should address transfer scenarios that are not covered by the current SCCs, such as transfers of data between an EU data processor and a non-EU data processor; and (3) the new SCCs should better reflect the realities of data processing operations in a modern and open economy. For example, the Commission is exploring solutions to easily enable multiple parties to sign SCCs and allow the accession of new parties.
- With respect to the possibility of a new and strengthened framework allowing transfers of personal data between the EEA and the U.S., Commissioner Reynders stated that there will be no quick fix given the complexity of the matter—a new framework may require a legislative change at the U.S. level and the current political context, including the upcoming U.S. elections, may delay the process. However, in light of the recent developments concerning privacy and government surveillance in the U.S., Commissioner Reynders suggested that there is now more common ground from which to seek an alternative solution than there was when the Privacy Shield was negotiated.
- Following the CJEU ruling, Schrems’s organization, None of Your Business (“NOYB”), filed 101 complaints across EU Member States. Despite the fact that these complaints must be handled at a local level by the national DPAs, the EDPB said that it recognizes the importance of a consistent response to the complaints. The EDPB Chair announced that a taskforce has been created within the EDPB to handle these complaints uniformly.
- In addition, the EDPB Chair stated that the EDPB will now focus on (1) reviewing and updating existing EDPB documents that relate to data transfers and (2) preparing additional recommendations on the transfer of personal data from the EEA to third countries to support data controllers and processors. The EDPB also will assist the European Commission, as necessary, including by providing comments on the new set of SCCs that the European Commission is currently drafting.
The LIBE Committee hearing is available here.