Transfers of personal data to third countries: Action required by the end of the year, and news on the EU-US Data Privacy Framework
The CJEU’s Schrems II judgment issued in 2020 declared the Privacy Shield, which had enabled transfers of EU personal data to registered US recipients, invalid and resulted in the Commission replacing the Standard Contractual Clauses (SCCs) widely used in international personal data transfers with new sets of SCCs, as the earlier clauses were considered insufficient. In this article, we would like to stress the need for action by businesses making use of the SCCs. We also discuss the recent developments in the future framework for EU-US personal data transfers.
The sunset period for applying the “old” SCCs is now coming to an end, meaning that all entities safeguarding international personal data transfers by the SCCs should ensure that the affected agreements with service providers, customers and other parties outside the EU/EEA have or will be updated accordingly by 27 December 2022.
Important developments have also taken place with respect to the long-awaited framework for data transfers between the EU and the US. The Commission published on 13 December 2022 a draft adequacy decision to be adopted for the establishment of a new Trans-Atlantic Data Privacy Framework based on the previously agreed agreement in principle between the EU and US in March and an Executive Order signed by US President Biden in October this year.
Standard contractual clauses
The new sets of SCCs provide data controllers and processors with a more modern personal data transfer mechanism than the previous SCCs. As SCCs are the most widely-used mechanism for transferring data from the EU to other countries and the previous sets of SCCs were adopted under the decommissioned Data Protection Directive 95/46, an update was much needed. The key changes to the modernized SCCs have been explained in more detail in our previous article, available here.
As the modernized SCCs are bound to replace the widely-used earlier sets of SCCs completely, action is required by most businesses.
Since 27 September 2021, it has no longer been permitted to conclude contracts incorporating the earlier sets of SCCs. Thus, data controllers and processors have been able to rely on the earlier sets of SCCs only for contracts that were concluded before that time, provided that the processing operations that are the subject matter of the contract remain unchanged. From 27 December 2022 onwards, this is subject to change, as all contractual applications of the old SCCs must be replaced with the modernized SCCs. The Commission has provided practical guidance on the use of the SCCs in the form of a Questions and Answers overview, found here.
It should be noted that the SCCs (or any other GDPR Article 46 transfer tool) can only be applied to a transfer if the data exporter performs a documented transfer impact assessment to determine whether the personal data will be adequately protected in practice in a third country destination, also considering the legal framework and practical application of the law of the country of destination. The EDPB has released recommendations providing guidance on the substance of such assessment.
EU-US Data Privacy Framework moves forward
As noted above, the Schrems II judgment made the personal data transfers on the basis of the Privacy Shield non-compliant and resulted in a grey area regarding personal data transfers to the US. Subsequent to the US and the EU reaching an agreement in principle in March 2022 on a new personal data transfer framework for fostering transatlantic data flows, in October 2022 President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which is a significant step towards enabling transatlantic data flows under a new framework.
The Executive Order, along with accompanying regulations issued by the Attorney General Merrick Garland, is designed to provide EU citizens with personal data protection as far as concerns access by the US intelligence authorities to the data to the extent necessary and proportionate to protect national security. The Executive Order also establishes a new two-layer redress mechanism, which provides EU citizens with, firstly, the right to lodge a complaint with the “Civil Liberties Protection Officer” and, secondly, the right to appeal the decision to the “Data Protection Review Court”.
The Commission’s recently proposed draft for adequacy decision pursuant to Article 45 of the GDPR should expectedly reinstate the Privacy Shield as a valid personal data transfer mechanism from the EU to certified US companies. The draft adequacy decision, which concludes that the US legal framework provides comparable safeguards to those of the EU, has now been transmitted to the European Data Protection Board (EDPB) for its opinion.
However, regardless of the Commission’s assessment of the safeguards in the draft decision, the Executive Order has already faced certain criticism, and thus it is recommended to consider conducting a data transfer impact assessment on potential recipients under the framework as well to ensure the level of protection.
While waiting for the framework to be adopted, it is important to remember that other personal data transfer mechanisms for transfers outside the EU, such as the SCCs mentioned above, are available, especially in transfers to non-certified US recipients. The safeguards agreed upon between the Commission and the US Government in the area of national security will be available for all transfers to the US under the GDPR, regardless of the transfer mechanism used. More on EU-US personal data transfers can be found here.