Schrems 2 data transfers survey: 85% of companies in Europe use standard contractual clauses

DIGITALEUROPE surveyed almost 300 businesses to better understand the use of standard contractual clauses (SCCs) in Europe following the “Schrems II” ruling on 16 July.

This first-ever survey – supported by BusinessEurope, the European Round Table of Industry (ERT) and ACEA – confirms the widespread use of SCCs amongst the business community in Europe, both in the ICT sector and elsewhere.

Key findings:

• SCCs are by far the most widely used mechanism for data transfers. 85 per cent of companies surveyed are using them. 70 per cent of SMEs surveyed are using them. Only 9 per cent of companies surveyed do not transfer any data outside Europe.
• 75 per cent of the surveyed companies using SCCs are headquartered in the EU.
• Whereas the ICT sector is the largest user (37 per cent), almost all industry sectors rely on SCCs for their transfers, with manufacturing coming in second (22 per cent).
• Almost all those companies surveyed transfer to the US. Six out of ten transfer data to Asia or the UK.
• Nine in ten companies that have reassessed their use of SCCs to comply with the ruling consider that the cost of doing so has been moderate or high.

Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE, said:

“Thousands of small European business owners are facing legal uncertainty on data flows at a time when many are struggling to stay alive during the COVID-19 crisis.

This first-of-a-kind survey shows that businesses of all sizes across all industries are reliant on personal data transfers. We’re not just talking about the digital sector. Sectors employing millions of people, like manufacturing, retail, professional services, finance and agriculture are affected.

We hope the data we have gathered can contribute crucial insight for regulators and policymakers. We welcome the European Commission’s efforts to solve the issue and call on the European Data Protection Board (EDPB) to ensure its final recommendations on supplementary measures reflect how SCCs are used in real life, and what actual risks and safeguards they entail in line with the ruling.”

Background

On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled on Case C-311/18, otherwise known as “Schrems II,” upholding the validity of standard contractual clauses (SCCs) while invalidating the EU-US Privacy Shield adequacy decision.

The ruling requires all organisations transferring personal data outside the European Economic Area (EEA) to assess or reassess their use of SCCs in order to verify that it complies with the conditions set out in the ruling, notably in terms of preventing access by third-country governments.

DIGITALEUROPE has acted as amicus curiae in the proceedings since their inception before the Irish courts in 2016. SCCs, which were upheld by the ruling, are the most widely used mechanism for data transfers to third countries outside the European Economic Area (EEA), underpinning the EU’s yearly €969 billion exports of services (2018).