A New Year in personal data transfers to third countries. What do you need to know about it?

What do you need to know about this? 12 December 2023 In July 2020,

the Court of Justice of the European Union issued its judgment in the Schrems II case, in which it ruled that transfers of personal data to the United States based on the so-called Privacy Shield were inadmissible.

Although the judgment was handed down more than two years ago, it is worth revisiting today, because from this day forward all controllers and processors are absolutely required to apply the new standard contractual clauses, which are one of the mechanisms provided for under the GDPR for lawfully transferring personal data outside the European Economic Area.

A few words about the Schrems II judgment. In its Schrems II judgment, the CJEU ruled that the European Commission's decision on the adequacy of the protection afforded by the Privacy Shield was invalid, because the United States does not provide a level of personal data protection equivalent to that of EU law (among other reasons, due to US legislation that grants American intelligence agencies broad access to the personal data of Europeans processed in the United States).

Why was the invalidation of the Privacy Shield a revolution, and what do standard contractual clauses have to do with it?

Until 16 July 2020,

the Privacy Shield served as the legal basis for most transfers of personal data between the European Union and the United States.

As a result, the judgment meant that most transfers of personal data to the United States began to take place unlawfully.

To counteract the consequences of this ruling (and to fulfill the obligations arising from the GDPR), in June 2021 the European Commission adopted new standard contractual clauses (SCCs).

SCCs are essentially a template-based agreement between entities exchanging personal data, the purpose of which is to ensure that processing personal data outside the EEA does not result in a reduced level of personal data protection.

All controllers and processors were under an absolute obligation to implement the new SCCs into all relationships involving transfers of personal data outside the EEA by 27 December 2022.

This means that from today, 28 December 2022, the new standard contractual clauses must, without any exception, be applied by all controllers and processors who transfer personal data outside the EEA on the basis of this data transfer mechanism.

What did implementing the new contractual clauses mean for businesses?

First, businesses should have checked whether they transfer personal data outside the EEA (for example, when using IT services), and then should have verified the legal basis on which such a transfer takes place.

If the transfer was taking place without any safeguards or on the basis of the “old” standard contractual clauses (that is, under the European Commission's decisions from 2001 or 2010), then businesses should have concluded a new agreement with their non-EEA partner regarding the transfer of personal data outside the EEA, based on the new standard contractual clauses (the text of the clauses is available here).

It is worth remembering that the European Commission adopted the new standard contractual clauses in four modules, that is, for situations where personal data is transferred between: a controller and another controller in a third country; a controller and a processor in a third country; a processor and another processor in a third country; a processor and a controller in a third country.

For this reason, before signing the new standard contractual clauses, every business should have asked itself what role it plays in the personal data processing operation and, consequently, which module of the standard contractual clauses it should use.

Moreover, the CJEU's judgment in the Schrems II case, together with the recommendations of the European Data Protection Board on supplementary measures for transfer tools to ensure compliance with the EU level of personal data protection, makes clear that before transferring personal data outside the EEA, a controller or processor should examine whether the new SCCs can actually be enforced in the country to which the personal data is being sent.

Time for a plot twist. As you can see, applying the new SCCs is not the simplest task and generates significant operational costs for businesses on both sides of the Atlantic Ocean.

To simplify the transfer of personal data from the European Union to the United States, the US authorities (in agreement with the EU authorities) began the process of aligning American law with the conclusions stemming from the Schrems II ruling.

As a result, in October 2022 President Joe Biden signed an executive order introducing a new framework for protecting the personal data of Europeans in the United States.

Among other things, the order limits intelligence agencies' access to the personal data of Europeans to situations where it is necessary and proportionate to ensuring national security; it introduces the ability for individuals whose personal data has been breached within the United States to file complaints; and it establishes a mechanism, available to Europeans, for pursuing claims arising from privacy violations.

Joe Biden's Executive Order is significant because it lays the groundwork for the European Commission's draft adequacy decision regarding personal data protection between the EU and the US.

If this decision were adopted, we could speak of the implementation of a “Privacy Shield 2.0,” and the transfer of personal data to the United States could take place on the basis of an “ordinary” data processing agreement, just as it does between businesses within the EU.

At present, the draft decision has been submitted to the European Data Protection Board for its opinion.

However, it is already clear that the adoption of the aforementioned decision by the European Commission will not be an easy task, given the criticism from non-governmental organizations dealing with personal data protection, including the organization NOYB and Max Schrems, who are already announcing that they will take legal steps to invalidate this data transfer mechanism as well.

Ensuring the lawful transfer of personal data is not a straightforward matter, especially since the situation in this area is highly dynamic.

If you need support or a consultation regarding the transfer of personal data outside the EEA within your organization, we are at your disposal.

Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We'll give you a straight answer.

Book a call → See more articles