Role and importance of data flow following “Schrems II” case
On 11 May, EACA participated in the webinar “EU-US Tech Allies Series: A Transatlantic Space for Data Flows” organised by DigitalEurope. The webinar addressed the role and importance of data flows and the prospects of a swift re-design of the EU-US Privacy Shield following the 2020 ECJ ruling, which invalidated it.
The case stems from a complaint lodged by Mr Maximillian Schrems with the Irish Data Protection Authority regarding transferring his data from Facebook Ireland Ltd. to Facebook Inc. The Irish DPA deemed it necessary to appeal to the European Court of Justice, which ruled on 16 July 2020, stating that Facebook cannot use SCCs (Standard Contractual Clauses) to justify data transfers. SCCs are a legal mechanism established in the EU General Data Protection Regulation (GDPR) to help companies in EEA countries transfer personal data to other companies in third countries.
However, after this ECJ decision, data can still be transferred to the United States if necessary, if this is done in compliance with Article 49 of the GDPR, i.e., with the data subject’s consent.
Following the “Schrems II” judgment of 16 July, DIGITALEUROPE interviewed nearly 300 companies to understand better the use of SCCs. in Europe.
The research shows that:
- SCCs are by far the most widely used mechanism for data transfers. Of all companies surveyed, 85% are estimated to use SCCs.
- Most companies using SCCs (75%) have their headquarters in Europe.
- The information and communications technology (ICT) sector are the single largest user (37%).
- Most companies using SCCs are business-to-business (B2B) entities (90%).
- Over half of SCC users transfer data to close business partners or non-EU subsidiaries (57%).
- Three-quarters of companies aware that they are using SCCs to transfer data to more than one non-EU country.
- Nine in ten companies that have reassessed their use of SCCs to comply with the ruling consider that the cost of doing so is moderate or high.
- 25% of respondents appear not to be aware that they transfer data outside of the EU, most likely through SCCs.