[Things don’t stand still in the world of data privacy. Check out our updates about the EU Adequacy Decision and next steps: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, and background here – Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]
Does the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) apply to your contracts’ transfers of Personal Data from the European Economic Area (“EEA”) to a country (such as the United States) that the EU deems to lack “adequate” safeguards?
- If so, do you rely on contract terms to permit such cross-border transfers?
- If yes, it’s time to check your contracts – do they have the current SCCs for international transfers (Commission Implementing Decision (EU) 2021/914, aka “new” SCCs”)?
- The grace period to transition from earlier SCC versions (where entered into by September 27, 2021) ends December 27, 2022.
- Here’s a link identifying which countries the EEA currently deems “adequate.” The US is not among them: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- If you proceed with such transfers, do so with eyes open. While far beyond the scope of this brief blog post, know there are:
- Operational choices to be made/negotiated within the SCCs (including selection of appropriate module(s), handling of subprocessors, governing law and jurisdictions); Annexes to be populated (in detail); obligations (notably including conducting and documenting a transfer impact assessment).
- And, ongoing legal challenges (e.g., Schrems II and its progeny), with no guarantee such cross-border transfers will be found to comply with the GDPR even when using “new” SCCs, incorporating “supplementary measures,” or if/when the proposed Trans-Atlantic Data Privacy Framework comes to be.
- See, e.g.: the European Commission’s Q&A about implementing the new SCCs: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; and articles by Mr. Schrems’ advocacy non-profit: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal; https://noyb.eu/en/open-letter-future-eu-us-data-transfers
- What about the UK? Are the clauses the same, or the deadlines the same, for Persona Data transfers subject to UK Data Protection Laws? No. Thank Brexit. See: https://www.techcontracts.com/2022/03/29/contract-terms-current-uk-idta/.
By Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US)
Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.
© 2022 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock images.