EU deadline looms for data transfer contracts remediation

From 27 December, organisations will no longer be able to rely on legacy versions of EU standard contractual clauses (SCCs) – those adopted in 2004 or 2010 – for transferring personal data outside of the European Economic Area (EEA).

Ruth Maria Bousonville of Pinsent Masons said: “For many organisations, a significant contract remediation exercise will need to be undertaken to ensure that the legacy SCCs are no longer relied upon from 27 December. With just weeks to go until the deadline, businesses should review their data transfer arrangements and commission a data transfer risk assessment from experts – and implement new SCCs and any further risk mitigation measures that are necessary.”

“A number of data protection authorities across Europe, in particular those from Germany, have shown an appetite to scrutinise companies’ data transfer arrangements for their compliance with CJEU rulings, including the Schrems II judgment. The expiration of the 27 December deadline is likely to trigger a renewed impetus in this regard, and businesses can expect to be the subject of enforcement – including, potentially, heavy fines – if deficiencies are identified by the authorities,” she said.

Businesses that operate in the UK as well as in the EU must factor in a separate compliance deadline in respect of EU SCCs. Businesses can no longer enter into new data transfer contracts on the basis of the 2004 or 2010 EU SCCs under the UK data protection regime. Contracts put in place before 21 September 2022 that rely on the old EU SCCs will be considered to be compliant with the UK GDPR until 21 March 2024. From that date, however, restricted data transfers will need to conform to the UK’s international data transfer agreement, or the UK addendum that has also been developed to support businesses that implement the 2021 EU SCCs too.

Jonathan Kirsop of Pinsent Masons said: “Although there is a later deadline for remediation of data transfer contracts in the UK, the impending EU deadline provides businesses with an opportunity to carry out a single remediation exercise for both UK and EU compliance purposes in respect of their use of legacy EU SCCs.”

“SCCs are not the only mechanism that businesses can rely on for transferring personal data internationally. For example, so-called adequacy decisions already facilitate data transfers between the EU and a number of jurisdictions globally, including the UK, and there are moves afoot by the UK government to achieve similar arrangements with other countries themselves too. The EU-US Privacy Shield 2.0 promises to help support data transfer arrangements across the Atlantic in future too. Businesses transferring data to other jurisdictions or banking on Privacy Shield 2.0 cannot afford to wait – an SCCs remediation exercise should be undertaken as a matter of urgency to ensure continued compliance beyond 27 December 2022,” he said.