The transatlantic transfer of personal data from the EU to the US is still a mess. Since the EU Court of Justice struck down the EU-US Privacy Shield in July 2020, and called into question the validity of the EU's standard contractual clauses, a solution to allow transfer of personal data from the EU to the US has not materialized.
On November 12, 2020 the European Commission published a draft set of new standard contractual clauses ("SCC"). While SCC recognized changes in technology since the SCC were originally adopted over 20 years ago, and also accounted for some of the concerns raised by the Schrems decision, the draft SCC have yet to be implemented.
After the draft SCC were published on November 12, the period for commenting on the draft was left open until December 21, 2020. To date, a final version of new SCC has yet to be published.
In the United States, there has not been any progress toward replacing the EU-US Privacy Shield that was invalidated by the Schrems decision. Although the Senate held a hearing on December 9, 2020 titled "The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows," there has been no progress since the hearing. Although at the hearing, witnesses expressed concern for the effect the Schrems decision would have on US business, can we reasonably expect any progress on this front?
After all, several data privacy bills have been introduced into Congress over the last 18 months, with none of them going anywhere.
Our best hope is that the draft SCC are finalized sooner rather than later. At least then, businesses will know what they need to do to lawfully transfer personal data from the EU to the US. In the meantime, is this a case of Nero fiddling while Rome burns?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
