SCCs remain valid — with considerations
The Privacy Shield was designed to help companies comply with the GDPR when transferring personal data from the EU to the US. Max Schrems, an Austrian lawyer, successfully argued that the Safe Harbor — the predecessor of the Privacy Shield — did not sufficiently protect his data when transferred to the US. Then, in a decision by the CJEU that became known as Schrems II, the Privacy Shield was also found to be inadequate.
The CJEU upheld the validity of SCCs as an approved transfer mechanism. Yet it will require, prior to any transfer, stricter scrutiny and a case-by-case assessment by the exporting and importing parties, as to whether the laws of the importing country provide an adequate level of protection essentially equivalent to that guaranteed within the EU by the GDPR. If the parties determine that the SCC cannot be complied with due to the local laws, the CJEU instructs the data exporters to immediately cease all data transfers and/or to terminate the SCC.
eDiscovery practitioners can cautiously use SCCs but might have to implement supplementary measures to comply with the GDPR and other strategies. That may include using the derogations under the GDPR Article 49 based, for example, on consent of the data subject or on the performance of a contract to transfer personal data out of the EU to the US.
Schrems II emphasizes that the SCCs must also address guarantees that prevent access to the data by public authorities or surveillance services. It is particularly important for companies relying on SCCs for eDiscovery to revisit them following the CJEU’s decision and confirm GDPR compliance.