Personal data transfers outside the EU need a legal update by the end of this year

According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs).

On 4 June 2021, the European Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive. Businesses must migrate all contracts that use the old SCCs to the new SCCs by December 27, 2022.

The new SCCs require data importers to confirm that they will only disclose personal data to a third party outside of the EEA where (i) the third party has agreed to be bound by these Clauses or (ii) a specific derogation applies. In prior guidance, the European Data Protection Board (EDPB) has been clear that the derogations are not available for systematic transfers.

As a result, where transfers will be systematic under a set of new SCCs, the importer will need to have ensured that any third parties involved in the processing, such as (sub)processors, have also signed the new SCCs. This means importers will want to have examined their supply chain and put in place the new SCCs to cover such onward transfers.

The European Commission has the power to determine, on the basis of Article 45 of GDPR whether a country outside the EU offers an adequate level of data protection and thus does not require SCCs for personal data transfers. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection.

What about the EU – U.S. data transfers?

The main concern so far, due to potential economic impact, has been the data transfers from the EU to the U.S. as the U.S. is not covered by the adequacy decision and according to EU Court of Justice judgments, there are fundamental legal differences between EU and U.S. privacy safeguards to EU citizens. Businesses have faced legal uncertainty in shipping information across the Atlantic for activities such as cloud services, human resources, marketing, and advertising.

The new SCCs might help to overcome those issues, but now, in the light of the latest news, the question is, whether the EU businesses should sprint to finalize the new SCCs by the end of the year, or should it be wiser to wait for the possible developments of the U.S. moving towards the adequacy decision?

The latest news from March 25th is that as the result of the U.S. Government and the European Commission’s intensified negotiations, the EU and the U.S. reached an agreement in principle for a new Trans-Atlantic Data Privacy Framework. The agreement in principle will now be translated into legal documents. The U.S. commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the European Commission to put in place the new Framework.

Once established, the new framework and redress mechanism will be tested by individuals and scrutinized by regulators, courts, and the public at large almost immediately, so experts and privacy advocates warned that the new deal could face similar legal challenges as previous ones.

The yearslong dispute stems from fears that U.S. officials could unlawfully peer into mass troves of personal data collected by technology companies such as Facebook parent Meta Platforms Inc. and others.

New Trans-Atlantic Data Privacy Framework key principles

• Based on the new framework, data will be able to flow freely and safely between the EU and participating U.S. companies;
• A new set of rules and binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
• A new two-tier redress system to investigate and resolve complaints of Europeans on the access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court;
• Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce;
• Specific monitoring and review mechanisms.

Benefits of the deal

• Adequate protection of Europeans’ data transferred to the U.S., addressing the ruling of the European Court of Justice (Schrems II);
• Safe and secure data flow;
• Durable and reliable legal basis;
• Competitive digital economy and economic cooperation;
• Continued data flows underpinning €900 billion in cross-border commerce every year.

How to proceed?

In conclusion, there is certainly a need for SCC updates when transferring personal data from EU businesses to third countries and it can be a challenging and time-consuming task, even if carried out by professionals. As for the EU-U.S. data transfers specifically, one might say that developments of the new framework might save the day.