Why businesses are busy updating compliance around European data transfers to meet the September 27 deadline – and why yours should be too. | Robins Kaplan LLP
Transfers of personal data from the European Economic Area (“EEA”) to most other countries, including the United States, require companies to take swift compliance action. The General Data Protection Regulation (“GDPR”) requires that transfers of personal data from the EEA outside the EEA have adequate levels of protection in the destination country where the data is received. For transfers to the United States, companies have primarily relied on the Privacy Shield and Standard Contractual Clauses approved by the European Commission to document compliance with this requirement. On July 16, 2020, the EU Court of Justice (ECJ) struck down the Privacy Shield due to potential interference with the rights of data subjects caused by US government surveillance in a case known as name of Schrems II. Schrems II went beyond invalidation of the Privacy Shield and also cast a cloud over the standard contractual clauses, suggesting that assessments of some sort would be needed to ensure that the standard contractual clauses meet these requirements.
The European Commission and the European Data Protection Board in June 2021 clarified what these steps should include. It is important to note that the European Commission has published new standard contractual clauses addressing some of these issues which it obliges all companies to use in place of the previous standard contractual clauses. The new standard contractual clauses are to be implemented imminently by companies in the relevant contracts from September 27, 2021. All existing contracts based on the previous standard contractual clauses must be converted into new standard contractual clauses by December 27, 2022.
Note that updating contracts is only one piece in solving the Schrems II compliance puzzle. The updated terms of the new standard contractual clauses and the recommendations issued by the European Data Protection Board make it clear that compliance obligations on this front will not be met by the mere signing of contracts. There is a positive obligation for businesses to carry out a complex assessment of laws and practices such as government surveillance laws that could infringe on European personal data once it is transferred outside the EEA. If this assessment reveals a protection gap under the laws of the recipient country, companies should develop and implement technical, organizational and / or contractual measures to resolve this issue or cease the transfer of data.