BSA comments on Schrems II case

BSA | The Software Alliance is pleased that the decision by the European Court of Justice (ECJ) upheld Standard Contractual Clauses, consistent with BSA’s amicus brief and arguments submitted to the Court, but is disappointed that the ECJ invalidated the EU-US Privacy Shield.

  • 4 years ago Posted in

“Today’s ECJ decision creates a challenge for more than 5,300 U.S.-based companies—including over 250 with headquarters in Europe—that relied on the Privacy Shield to transfer personal data to and from Europe,” said Thomas Boué, Director General of Policy—EMEA at BSA. “70 percent of the companies certified to the Privacy Shield were SMEs, and they will now have to spend time and resources finding alternatives to carry out daily business transactions like processing payroll, sending emails, or storing documents on cloud-hosted servers.”


“Companies need to have reliable and stable mechanisms to send data from the EU to the United States. This is an unwelcome development at a time when businesses on both sides of the Atlantic are focusing on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” Boué added.

“BSA is studying the details of the decision. We stand ready to work immediately with the European Commission, the US Government, and the transatlantic business community, who share the common goal of finding a new, sustainable data transfer mechanism that will work for the long term,” said Boué. “More positively, the Court has upheld the ability to use Standard Contractual Clauses as a responsible, trusted tool to transfer personal data outside Europe, including to the United States.”

Standard Contractual Clauses – or SCCs – are the main transfer mechanism used by 90 percent of companies that transfer data internationally. SCCs, which are issued by the EU Commission, were also under review by the ECJ. SCCs underpin transfers of personal data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India, and Mexico. These clauses impose a range of contract-based obligations help ensure EU law’s strong privacy protections flow with any personal data sent outside of the EU. The SCCs impose mandatory safeguards and companies that use SCCs also apply additional safeguards that are tailored to each specific transfer. 

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...