Guidance for Navigating International Transfers & Schrems II

Latest Guidance and Information for Companies Navigating
International Transfers and the Schrems II Ruling

  • Learn More
  • Img-product

    Our Latest Analysis

    Understanding International Transfers

    What constitutes an international transfer from the EU to third countries? For almost five years, privacy professionals have struggled with international transfers of personal data originating in the EU. The two Schrems decisions have brought some clarity – no international transfer may undermine the level of data protection offered under GDPR and that essentially equivalent protection is required.

     

    The new Standard Contractual Clauses (SCCs) adopted on June 4th, 2021 do include some indications on how to look at data transfers going forward.

    International Transfer Package

    Understanding the risks of your international transfers is complicated, nuanced and time consuming. TrustArc’s automated approach combines deep regulatory understanding and expert risk analysis. Bringing regional transfer assessments into the modern age.

    The International Transfer Package helps organizations:

    • Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
    • Conduct data transfer and risk threshold assessments
    • Leverage templates that help operationalize regulatory requirements and trigger compliance mechanisms
    trustarc-risk-profile-1

    Interested in seeing how regulators are reacting to the Schrems-II decision?

    Click through to review the regional Data Protection Authorities’ guidance and download the entire chart below. Where applicable, see regional regulator responses including their overall comment, specific Privacy Shield comment and guidance on SCC assessments.

    European Union
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers EUROPEAN DATA PROTECTION SUPERVISOR (EDPS) The verdict of the Court reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. The EDPB expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. This is the second time in almost 5 years that a European Commission adequacy decision concerning the United States is invalidated by the Court. In its judgement, the Court confirmed the criticisms of the Privacy Shield repeatedly expressed by the EDPS and the EDPB. European supervisory authorities will advise the Commission on any future adequacy decisions, in line with the interpretation of the General Data Protection Regulation (GDPR) provided by the Court.
    International Data Transfers EUROPEAN DATA PROTECTION BOARD (EDPB) Factual statement on the verdict – no information on enforcement or advice on transfers; further analysis to follow.

    The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.

    The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.

    International Data Transfers Joint Press Statement from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross – European Commission
    The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.
    International Data Transfers Joint statement by Chair of the Committee of Convention 108 and Data Protection Commissioner of the Council of Europe
    Some influential voices have been calling, in the aftermath of the Schrems II decision, for a legally binding international agreement for the protection of privacy and personal data.
    This instrument exists: it is Convention 108+

    The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (more commonly known as “Convention 108”) 4 is the only legally binding multilateral instrument on the protection of privacy and personal data open to any country in the world.

    United States
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Joint Press Statement from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross – European Commission
    The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades.
    International Data Transfers U.S. Department of Commerce EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. Organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. For help determining the most appropriate data transfer mechanism for an organization, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

     

    Austria
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Austrian Data Protection Authority No statement yet
    Belgium
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Data Protection Authority Refers to EDPB official information

     

    Bulgaria
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Commission for Personal Data Protection Factual statement on the verdict – no information on enforcement or advice on transfers

     

    Croatia
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Data Protection Agency Factual statement on the veredict – no further guidance

     

    Cyprus
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Commissioner for Personal Data Protection
    No statement yet

     

    Czech Republic
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Office for Personal Data Protection
    Factual statement on the verdict – no information on enforcement or advice on transfers

     

    Denmark
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Danish Data Protection Agency
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance This means that in future no personal data can be transferred to the United States using the Privacy Shield. Privacy Shield is a special scheme based on the EU Commission Decision 2016/1250, which has previously made it possible to transfer personal data from the EU to companies in the USA that had joined the scheme.

     

    Estonia
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Estonian Data Protection Inspectorate
    Factual statement on the verdict – When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country’s adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission’s data protection clauses themselves. The assessment must determine whether the protection of Europeans’ personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found. From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which has been set by the European Commission. Other safeguards can be used in the articles of the General Data Protection Regulation (GIP).

     

    Finland
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Data Protection Authority
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    France
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Commission Nationale de l’Informatique et des Libertés
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance The CJEU invalidated the “Privacy Shield” adequacy decision, adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor”, which allowed the transfer of data between the EU and US companies adhering to its data protection principles.

     

    Germany

     

    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Commissioner for Freedom of Information
    Reliance on the Privacy Shield is no longer possible for transfers to the U.S. The use of SCCs requires special safeguards to be taken for the data exchange with the U.S. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice. The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities. The BfDI will issue a further statement after the publication of the entire judgment and the deliberations in the European Data Protection Board. In this context, the focal point will be the revision of the standard contractual clauses by the European Commission, as well as the need for the USA to ensure that the European people enjoy the same fundamental rights as US-nationals.
    International Data Transfers Press release from the Conference of Independent Data Protection Supervisors The European Court of Justice declared Privacy Shield invalid because the US law assessed by the CJEU does not Offers a level of protection that is essentially equivalent to that in the EU The transfer of personal data to the USA on the basis of privacy Shield is not permitted and must be discontinued immediately.

    For a transfer of personal data to the USA and other third countries the existing standard contractual clauses of the European Commission basically continue to be used. However, the ECJ emphasized the responsibility of the Responsible persons and the recipient to assess whether the rights of the persons concerned enjoy the same level of protection in the third country as in the Union. Only then can be decided whether the guarantees from the standard contractual clauses in the Practice can be realized. If not, it should be checked what additional measures to ensure a level of protection in the EU essentially equivalent levels of protection can be taken.

    International Data Transfers State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
    (Baden-Württemberg)
    All third country transfers must be assessed on a case by case basis to determine the legal situation in these countries (i.e. potential for public authority access to transferred data and ability of data subjects to obtain recourse for damages), and most appropriate transfer mechanism (SCCs, derogations, adequacy decisions); where service providers or contractual partners cannot provide adequate protection levels (e.g. SCCs cannot be modified to add increased protections) and are replaceable, data transfers to these recipients are prohibited. The CJEU declared the Shield invalid, finding that:
    US authorities have extensive access to personal data of European citizens; and there are insufficient protections for fundamental data protection rights. Personal data transfers to the US can no longer be made under this legal basis.
    Data exporters must:
    *Check, on a case-by-case basis, that third countries offer appropriate levels of protection for transferred data;
    *Take additional measures to guarantee appropriate protections: if measures cannot be put in place, the transfer must be terminated or suspended.
    *Speak with data recipients to determine if SCC provisions can be modified, particularly Annex Clauses:
    4f – informing affected individuals about transfers of special category data that may not have adequate protection levels;
    5d – include legal recourse against disclosures or access to personal data to public authorities;
    5d(i) – duty of data importers to immediately inform data subjects of all legally binding requests from enforcement authorities to access personal data; and
    7 1(d) – referral to EU courts for disputes of third party beneficiary rights and claims for damages.
    International Data Transfers Bavaria State Office for Data Protection Supervision
    (Bavaria – Private Sector)
    No statement yet
    International Data Transfers Bavarian State Commissioner for Data Protection
    (Bavaria – Public Sector)
    No statement yet
    International Data Transfers Berlin Commissioner for Data Protection and Freedom of Information
    (Berlin)
    Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically call our China, Russia, and India as countries for which there will be similar problems for data transfers.
    International Data Transfers The state representative for data protection and for the right to inspect files in Brandenburg
    (Brandenburg)
    No statement yet
    International Data Transfers The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen
    (Bremen)
    No statement yet
    International Data Transfers Hamburg Commissioner for Data Protection and Freedom of Information
    (Hamburg)
    Would have like to seen that the CJEU had also invalidated SCCs as a means for transfer to the U.S., since the risks and safeguards for Privacy Shield and SCCs are the same. Expects hard times for all international data transfers. Data protection supervisory authorities in Germany and Europe must now swiftly come to a common understanding on how to deal with companies that are now illegally continuing to rely on the Privacy Shield. Both the proportionality of access by the authorities and the guarantee of functioning legal protection must be demonstrated by the exporter to his local data protection authority on request.
    International Data Transfers The Hessian Data Protection Officer
    (Hessen)
    No statement yet
    International Data Transfers State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern
    (Mecklenburg-Vorpommern)
    Only a link to the CJEU press release on the DPA website press page
    International Data Transfers The State Commissioner for Data Protection Lower Saxony
    (Lower Saxony)
    No statement yet
    State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
    (North Rhine-Westphalia)
    No statement yet
    International Data Transfers State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
    (Rhineland-Palatinate)
    The Court has made clear data controllers have a strong responsibility to verify the actual legal situation in a third country before transferring personal data. Just signing the SCCs is not enough. If the requirements of EU data protection law cannot be met, the transfer must be stopped. The CJEU declared the EU-US Privacy Shield invalid, which is therefore no longer the legal basis for data transfers to the USA. The CJEU has clarified that companies cannot free themselves from their audit obligations by using the standard contractual clauses,” explains Professor Kugelmann. “The ball is now in the field of those responsible. They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data. If the data recipients are subject to the legal rules of their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses.
    International Data Transfers State representative for data protection and freedom of information
    (Saarland)
    No statement yet
    International Data Transfers Saxon Data Protection Officer
    (Saxony)
    International Data Transfers State Commissioner for Data Protection Saxony-Anhalt
    (Saxony-Anhalt)
    No statement yet
    International Data Transfers Independent state center for data protection in Schleswig-Holstein
    (Schleswig-Holstein)
    No statement yet
    International Data Transfers Thuringian State Commissioner for Data Protection and Freedom of Information
    (Thuringia)
    As yet it is unclear, how SCCs can still be used for data transfers to the U.S., given the extensive criticism voiced by the Court on the national surveillance legislation. If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, an EU data protection compliant Test result should come to.

     

     

     

    Greece
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Hellenic Data Protection Authority No statement yet

     

    Hungary
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers National Authority for Data Protection and Freedom of Information
    Links to the CJEU press release on the DPA website front page

     

    Ireland
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers Data Protection Commission The application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. The DPC also refers to the EDPB for further joint guidance, while welcoming the clarity brought by the verdict on various points of principle.

     

    Italy
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Garante per la Protezione dei Dati Personali

    Adheres to the EDPB FAQ

     

    Latvia
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Data State Inspectorate

    Adheres to the EDPB plenary statement, no own guidance

     

    Lithuania
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    State Data Protection

    Factual Statement with reference to further EDPB guidance.

     

    Luxembourg
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    National Commission for Data Protection

    CNPD welcomes the judgment; will work with EDPB counterparts on further guidance.

     

    Malta
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Information Data Protection Commissioner

    No statement yet

     

    Netherlands
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Autoriteit Persoonsgegevens

    Mainly factual statement. Up to European Commission to come up with a solution.

     

    Norway
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

     

    Data Protection Authority
    NORWAY

    It is important to wait to enter into new agreements with third country suppliers until you are absolutely sure that you are fully able to comply with all of the European Court of Justice’s additional terms. If in doubt, the agreements should not be entered into. One must be prepared for the fact that new agreements involving the illegal transfer of personal data to third countries may be considered more severely than existing agreements. The old agreements were entered into before we became aware of the European Court of Justice’s additional terms, and in the first months after the ruling, it may take some time to adjust to the new rules. New, illegal agreements, on the other hand, can be seen as a violation committed against better knowledge from the outset, and there is no excuse for having entered into such agreements.
    Poland
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Inspector General for the Protection of Personal Data – GIODO

    Controllers need to carry out an individual assessment of the level of data protection ensured as part of cross-border data transfers, which must take into account not only the contractual provisions agreed between exporters and importers of data, but also legal provisions in a third country, in particular regarding possible access by authorities public authority of that country to the data transmitted. Further guidance will follow via the EDPB. Personal data can no longer be transferred to the U.S. on the basis of the Privacy Shield from the date of the verdict onwards (16 July).

     

    Portugal
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    National Commission for Data Protection

    No statement yet

     

    Romania
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    National Supervisory Authority for Personal Data Processing

    Factual statement; suggests to look at alternative transfer mechanisms (SCCs, BCRs, derogations) for U.S. data transfers to replace Privacy Shield as a legal basis

     

    Slovakia
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Office for Personal Data Protection

    Factual statement on the verdict – no information on enforcement or advice on transfers

     

    Slovenia
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Office of the Information Commissioner

    The EU Court of Justice annulled t. i. privacy shield, and organizations are given other listed data transfer mechanisms to take care of as soon as possible. Disclosures of personal data are still possible, provided that the controller of the personal data itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they are responsible for assessing the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the U.S. and have so far relied on the recipient to be a company that can be found at t. i. in the Privacy Shield list, they must ensure as soon as possible that the transfers are justified on another basis (eg standard contractual clauses, binding business rules, exceptions). Otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the predecessor of the Privacy Shield was annulled by the Court of Justice of the European Union, i.e. safe harbor agreement, organizations have often based data transfers in the U.S. on standard contractual clauses they have entered into with partner organizations.

     

    Spain
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Spanish Data Protection Agency (AGPD)
    (Federal)

    No statement yet
    International Data Transfers

    Basque Data Protection Agency
    (Basque Country)

    No statement yet
    International Data Transfers

    Catalan Data Protection Authority
    (Catalonia)

    No statement yet

     

    Sweden
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Data Inspection Board

    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    EUROPEAN ECONOMIC AREA

    Iceland
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Data Protection Authority

    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    Liechtenstein
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Data Protection Office

    However, the European Court of Justice also made clear in its ruling that data can still be transferred to the USA on the basis of other suitable guarantees under Art. 46 ff. GDPR, in particular also on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible now have to rely on such instruments. The data protection agency has published a compilation of the requirements and various suitable guarantees for data transfers to third countries on its website.

     

    Norway
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Data Protection Authority

    The Schrems II ruling was actually about whether Facebook could transfer information about users in Europe to the United States. The Court also took the opportunity to comment on transfers to third countries in general. It concluded that the transfer basis known as the Privacy Shield is no longer valid. There are still other valid transfer bases, but the court said that using such bases in itself is not enough. The additional requirements of the European Court of Justice have already begun to apply, and it is also no longer possible to use the Privacy Shield as a basis for transfer. The requirements apply to both new and existing transfers. It is no longer sufficient to use a valid transfer basis such as the European Commission’s standard contractual clauses or binding corporate rules (BCR).

     

    OTHER RELEVANT JURISDICTIONS

    New Zealand
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Privacy Commissioner

    The Court considered that certain programmes enabling access by US authorities to personal data transferred from the EU for national security purposes create limits on the protection of that personal data. These limits mean there is a lack of protection that is “essentially equivalent” to EU law, and that data subjects do not have actionable rights before the courts against US authorities. Transfers of personal data from the EU to New Zealand are conducted on the basis of the adequacy decision in place (article 45 of the EU General Data Protection Regulation).
    The European Commission formally ruled in December 2012 that New Zealand’s privacy law provided an ‘adequate level’ of privacy protection to meet European standards.
    We will also be considering the decision in Schrems II as we develop model contract clauses under the new Privacy Act 2020. Now that the new Privacy Act 2020 has been passed (coming into force on 1 December 2020) New Zealand has new limits on international transfers of personal information (new IPP 12).

     

    Switzerland
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Federal Data Protection and Information Commission

    After closely analysing the regime, the FDPIC concludes in his position paper of 8 September 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP). Switzerland is not a member of the EU and is not legally bound by the CJEU decision, however: Swiss companies must assume that foreign authorities may require them to observe EU law when exporting personal data. In many cases, standard contractual clauses (“SCCs”) and comparable provisions will not meet requirements in article 6 for data transferred to non-listed countries:
    they do not prevent foreign authorities from accessing personal data if the country’s public law:
    takes precedence; and
    allows official access without transparency and legal protections for concerned individuals.

     

    United Arab Emirates
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Dubai International Financial Centre

    DP Assessment Tool – Data Export and Sharing.

    As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

    Special Note about Privacy Shield:  Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield.

     

    United Kingdom
    Entity/Region Comment Specific Statement on Privacy Shield Guidance on SCC Assessments
    International Data Transfers

    Information Commissioner
    UK

    The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.
     

    The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.

    Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

     

    TrustArc Resources

    FAQs

    Schrems 2 Decision FAQs

     

     

    Webinar

    Privacy Shield Webinar

     

     

    Watch the on-demand webinar “The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent” as we discuss the implication of the recent Schrems II decision, the status of Privacy Shield and how to navigate these significant changes. The EDPB has guidelines on cookie consent and how these guidelines impact your organization.