The European Commission on Friday sought comments on two new data transfer tools after Europe’s Supreme Court in July placed strict conditions for such mechanisms that thousands of companies use to transmit data from Europeans around the world for various services.
The Luxembourg-based European Court of Justice upheld the validity of the data transmission mechanism known as the Standard Contractual Clauses (SCC) in a case involving Facebook and Austrian privacy activist Max Schrems, who campaigned about the risk of US intelligence agencies having access to data on Europeans.
The judges said: Privacy watchdogs should suspend or ban transfers outside the European Union if other countries cannot guarantee data protection.
Since then, the European Commission has scrambled to find a solution as companies grapple with the implications and costs of the court ruling.
The data transfer mechanism known as the Standard Contractual Clauses (SCC) is used for services ranging from cloud infrastructure, data hosting, payroll, and financing to marketing.
On Friday, the European Commission published draft model data protection clauses with the aim of revising existing standard contractual clause mechanism rules.
Vera Jourova, Vice President for Values and Transparency, said in a statement: With this updated tool, we want to ensure a high level of protection for our personal data, regardless of where that data is located and when it travels, and we also want to assist companies in their compliance efforts.
Privacy monitors in the European Union, the European Council for Data Protection and the European Data Protection Supervisor will provide feedback while the companies will also be able to provide feedback during a four-week public consultation.
European Union countries need to give their consent before the Commission adopts the final draft of the data transfer tools.
On November 11, 2020, the European Data Protection Board (EDPB) issued two guidance documents outlining the approach organizations expect to take when transferring data outside the European Union.
The EDPB’s findings create a challenging framework, although these guidelines provide a process for reviewing and evaluating data transfers.
Organizations may find significant obstacles to their ability to transfer data for routine business purposes or to use service providers located outside the European Union.