[Things don’t stand still in the world of data privacy. Check out our updates about the EU Adequacy Decision and next steps: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, and background here – Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]
Does the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) apply to your contracts’ transfers of Personal Data from the European Economic Area (“EEA”) to a country (such as the United States) that the EU deems to lack “adequate” safeguards?
- If so, do you rely on contract terms to permit such cross-border transfers?
- If yes, it’s time to check your contracts – do they have the current SCCs for international transfers (Commission Implementing Decision (EU) 2021/914, aka “new” SCCs”)?
- The grace period to transition from earlier SCC versions (where entered into by September 27, 2021) ends December 27, 2022.
- Here’s a link identifying which countries the EEA currently deems “adequate.” The US is not among them: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
- If you proceed with such transfers, do so with eyes open. While far beyond the scope of this brief blog post, know there are:
- Operational choices to be made/negotiated within the SCCs (including selection of appropriate module(s), handling of subprocessors, governing law and jurisdictions); Annexes to be populated (in detail); obligations (notably including conducting and documenting a transfer impact assessment).
- And, ongoing legal challenges (e.g., Schrems II and its progeny), with no guarantee such cross-border transfers will be found to comply with the GDPR even when using “new” SCCs, incorporating “supplementary measures,” or if/when the proposed Trans-Atlantic Data Privacy Framework comes to be.
- See, e.g.: the European Commission’s Q&A about implementing the new SCCs: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en; and articles by Mr. Schrems’ advocacy non-profit: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal; https://noyb.eu/en/open-letter-future-eu-us-data-transfers
- What about the UK? Are the clauses the same, or the deadlines the same, for Personal Data transfers subject to UK Data Protection Laws? No. Thank Brexit. See: https://www.techcontracts.com/2022/03/29/contract-terms-current-uk-idta/.
Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings, including about data privacy and security terms.
© 2022 by Kathy O’Sullivan, Esq. (CIPP/E, CIPP/US). All rights reserved.
Thank you to Pixabay.com for great, free stock images.
THIS ARTICLE IS NOT LEGAL ADVICE. IT IS GENERAL IN NATURE AND MAY NOT BE SUFFICIENT FOR A SPECIFIC CONTRACTUAL, TECHNOLOGICAL, OR LEGAL PROBLEM OR DISPUTE, AND IT IS NOT PROVIDED WITH ANY GUARANTEE, WARRANTY, OR REPRESENTATION. LEGAL SITUATIONS VARY, SO BEFORE ACTING ON ANY SUGGESTION IN THIS ARTICLE, YOU SHOULD CONSULT A QUALIFIED ATTORNEY REGARDING YOUR SPECIFIC MATTER OR NEED.