In its Schrems II decision (which we reported on here) the Court of Justice of the European Union (CJEU) found that the Privacy Shield framework, which had been used to facilitate data transfers from the EU to the US, did not adequately protect the personal data of EU users. The use of standard contractual clauses (SCCs) for such transfers of personal data to a third country was validated by the ruling, provided that the recipient country’s level of data protection was verified by the EU based entity prior to the data transfer.
Why are these guidelines needed?
In a draft report adopted on Tuesday 19 May 2021 the Civil Liberties Committee has urged the European Commission to assess the impact of this decision on data transfers with the US. The Civil Liberties Committee suggests, and is probably aware, that businesses may struggle to assess the data protection regimes of third countries themselves. The MEPs have therefore called for clear guidelines so companies can make data transfers that can be made GDPR-compliant, acknowledging that certainty and stability is key for businesses.
The report recommends collaboration between the European Commission and the European Data Protection Board (EDPB) to ensure the guidelines are fit for purpose given recent CJEU rulings.
Potential enforcement proceedings against Ireland
MEPs have also called on the European Commission to begin infringement procedures against Ireland for failing to effectively enforce the GDPR. The Irish Data Protection Commission (DPC)’s decision to initiate the Schrems court case instead of triggering enforcement procedures under the GDPR, along with the DPC’s long processing times, were both held to be disappointing by the Civil Liberties Committee.
The draft resolution will be debated in a future plenary session and put to the vote by the full House. While collaboration between the EC and EDPB to issue clear guidelines for businesses sounds appealing, we can only hope that the guidelines are pragmatic as well.