The EGC provided that the transfer to the United States was without appropriate safeguards under the GDPR, as Standard Contractual Clauses (“SCCs”) were not implemented and the transfers were carried out following the invalidation of the Privacy Shield but before the adoption of the EU-US Data Privacy Framework. This decision further emphasizes the need for organizations to
The Growing Scrutiny of International Transfer Mechanisms
EU-US data transfers have been a contentious topic of discussion for the last years. The invalidations of the Safe Harbor and Privacy Shield Frameworks have already demonstrated the vulnerability of adequacy decisions. While the EU-US Data Privacy Framework offers a solution with regards to transfers of personal data to the United States for the commercial sector (at least for those that participate in the Framework), its long-term stability remains uncertain, and further judicial scrutiny is expected. This reality reinforces the need for redundancy in GDPR transfer tools to avoid overreliance on a single transfer mechanism and which can address data transfers to multiple jurisdictions.
The Role of Codes of Conduct in International Transfers
It is crucial to emphasize the importance of making other solutions available under Chapter V GDPR, such as Codes of Conduct and Certifications. As part of GDPR’s toolbox for compliance, Codes of Conduct, such as the EU Cloud Code of Conduct (“EU Cloud CoC”), offer a practical solution to concretize GDPR’s risk-based approach of the GDPR. These tools provide clarity and actionable guidance for organizations – in case of the EU Cloud CoC for cloud service providers – helping them meet GDPR’s stringent requirements while fostering trust and transparency.
To further address the complexities of international transfers, following the Schrems II ruling, the General Assembly of the EU Cloud CoC has been developing a Third Country Transfers Module (draft available here and feedback welcomed here). This innovative addition emerges as a versatile Chapter V solution that presents the advantage of providing appropriate safeguards for data transfers to multiple jurisdictions.
Recognizing the broader challenge, the Third Country Transfers Module is designed to support organizations in navigating international transfers worldwide, ensuring compliance with GDPR requirements across all jurisdictions. By providing a structured approach to implementing appropriate safeguards, the module equips cloud providers and their customers with a scalable, globally applicable solution that facilitates GDPR compliance wherever data flows.
Designed to include standardized mechanisms through which cloud service providers can effectively support customers and controllers, the Module facilitates compliance for cloud customers. In addition to incorporating the requirements derived from relevant EDPB guidelines, recommendations and CJEU rulings, the Third Country Transfers Module provides a compliance mechanism equipping organizations with an optimal tool to identify appropriate technical, contractual and organizational supplementary measures.
The evolving legal landscape of international transfers highlights the importance of adopting robust and diverse GDPR compliance tools. Mechanisms like the EU Cloud CoC and its Third Country Transfers Module empower businesses to maintain and demonstrate compliance, build trust, and reduce legal uncertainties.
For more information about the EU Cloud CoC and its Third Country Transfers Module, visit: EU Cloud CoC Third Country Transfers.
