As many will know, the Schrems II decision has caused quite a stir in the data privacy community, most immediately because of its consequences for EEA-to-US data transfers. In its decision, the CJEU struck down the EU-US Privacy Shield as a basis for transferring personal data from the EEA to the US. It also held that the standard contractual clauses (SCCs) can only be used for international transfers (including to the US) where the sender has carried out due diligence on the third country and is confident that the level of protection offered in that third country is sufficient to enable compliance with the SCCs.
The decision is – unsurprisingly – of some concern to the US government, given that so many US businesses rely on EEA-to-US data transfers. On the 28th of September, it published a White Paper in response to the Schrems II decision which addresses a number of concerns that companies will have with transferring data to the US post Schrems II. For example, the White Paper seeks to reassure data exporters that most US companies do not deal in data that is of any interest to US intelligence agencies, and have no grounds to believe they do. The Paper also references a number of recent developments and information not considered by the CJEU.
It will be interesting to see what weight (if any) EU regulators will attach to the Paper. In the meantime, it is likely to be a helpful tool for companies when they undertake their due diligence and risk assessment before sharing data with the US pursuant to the SCCs.
...the White Paper can help organizations make the case that they should be able to send personal data to the United States using EU-approved transfer mechanisms...