Out-Law / Your Daily Need-To-Know

EU deadline looms for data transfer contracts remediation

Out-Law News | 08 Nov 2022 | 12:49 pm | 2 min. read

Businesses should review the basis on which they are transferring personal data internationally ahead of a looming EU compliance deadline that falls before the end of the year, data protection experts have said.

From 27 December, organisations will no longer be able to rely on legacy versions of EU standard contractual clauses (SCCs) – those adopted in 2004 or 2010 – for transferring personal data outside of the European Economic Area (EEA).

SCCs are one of the legal tools the European Commission has developed to help businesses meet their obligations under EU data protection law when transferring personal data outside of the EEA. SCCs can be inserted into commercial contracts to govern how those importing personal data from the EU handle and safeguard that data. Businesses are prohibited from modifying the clauses without approval of the modified version from a national data protection authority.

Last year the European Commission published revised SCCs to replace the 2004 and 2010 versions. The updated 2021 EU SCCs are designed to reflect the changes to data protection law implemented by the General Data Protection Regulation (EU GDPR) in 2018 as well as concerns raised by the Court of Justice of the EU in the so-called ‘Schrems II’ judgment. The Commission has explicitly said that where the SCCs are used for international transfers, a transfer impact assessment that follows recommendations made by the European Data Protection Board should be carried out.

Ruth Maria Bousonville of Pinsent Masons said: “For many organisations, a significant contract remediation exercise will need to be undertaken to ensure that the legacy SCCs are no longer relied upon from 27 December. With just weeks to go until the deadline, businesses should review their data transfer arrangements and commission a data transfer risk assessment from experts – and implement new SCCs and any further risk mitigation measures that are necessary.”

“A number of data protection authorities across Europe, in particular those from Germany, have shown an appetite to scrutinise companies’ data transfer arrangements for their compliance with CJEU rulings, including the Schrems II judgment. The expiration of the 27 December deadline is likely to trigger a renewed impetus in this regard, and businesses can expect to be the subject of enforcement – including, potentially, heavy fines – if deficiencies are identified by the authorities,” she said.

Businesses that operate in the UK as well as in the EU must factor in a separate compliance deadline in respect of EU SCCs. Businesses can no longer enter into new data transfer contracts on the basis of the 2004 or 2010 EU SCCs under the UK data protection regime. Contracts put in place before 21 September 2022 that rely on the old EU SCCs will be considered to be compliant with the UK GDPR until 21 March 2024. From that date, however, restricted data transfers will need to conform to the UK’s international data transfer agreement, or the UK addendum that has also been developed to support businesses that implement the 2021 EU SCCs too.

Jonathan Kirsop of Pinsent Masons said: “Although there is a later deadline for remediation of data transfer contracts in the UK, the impending EU deadline provides businesses with an opportunity to carry out a single remediation exercise for both UK and EU compliance purposes in respect of their use of legacy EU SCCs.”

“SCCs are not the only mechanism that businesses can rely on for transferring personal data internationally. For example, so-called adequacy decisions already facilitate data transfers between the EU and a number of jurisdictions globally, including the UK, and there are moves afoot by the UK government to achieve similar arrangements with other countries themselves too. The EU-US Privacy Shield 2.0 promises to help support data transfer arrangements across the Atlantic in future too. Businesses transferring data to other jurisdictions or banking on Privacy Shield 2.0 cannot afford to wait – an SCCs remediation exercise should be undertaken as a matter of urgency to ensure continued compliance beyond 27 December 2022,” he said.

We are processing your request. \n Thank you for your patience. An unknown error occurred, please input and try again.