December Deadline for Data Transfers fast approaches and Update on EU-US Data Sharing FrameworkThursday, 17 November 2022
New Standard Contractual Clauses must be implemented by 27 December 2022
The transition period for controllers and processors relying on pre-2021 Standard Contractual Clauses (“SCCs”) expires on 27 December 2022. As we previously reported, as and from that date, many data transfers to the majority of countries outside the EEA (including popular outsourced service destinations such as the United States, South Africa, Australia and India) may only take place where the SCCs adopted by the European Commission on 4 June 2021 (“2021 SCCs”) are in place. Implementing the 2021 SCCs requires certain onerous pre-contractual steps to be actioned by the parties. This includes a transfer impact assessment (“TIA”) to ensure the 2021 SCCs will be effective in practice.
Failure to implement the updated 2021 SCCs by the deadline and continuing to transfer personal data outside the EEA thereafter may result in a breach of the General Data Protection Regulation and incur enforcement actions by the Data Protection Commission, such as fines of up to €20 million or 4% of annual global turnover, whichever is greater and/or orders to suspend the transfer, or compensation claims from affected individuals. The risk of reputational damage and negative publicity may prove to be as costly to data exporters found to be in default.
Our Data Protection team is available to assist you with amending existing contracts to implement the 2021 SCCs and undertaking TIAs as well as, more generally, the implications of international data transfer rules under the General Data Protection Regulation.
Update on the EU-US Data Privacy Framework
On 25 March 2022, following negotiations between the EU and US, an agreement in principle for a new EU-US Data Privacy Framework (the “New Framework”) was announced. These negotiations stemmed from the Court of Justice of the EU’s ruling in Schrems II (C- 311/18) which invalidated the EU-US Privacy Shield that had facilitated trans-Atlantic data flows between data exporters in the EEA and data importers in the United States. The Court in Schrems II had found that: (i) US law did not sufficiently constrain the powers of intelligence authorities to what was necessary and proportionate, and (ii) EU citizens had insufficient means of redress before the US courts to enforce their data protection rights and challenge surveillance activities of such authorities, and as a result, data transfers to the US from the EEA have since been subject to some uncertainty.
On 7 October 2022, US President Joe Biden signed a new executive order on “Enhancing Safeguards for United States Signals Intelligence Activities” which implements the commitments made in principle for the New Framework. Addressing the concerns identified in Schrems II, personal data transferred to the US will be subject to:
- binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; and
- the establishment of an independent and impartial two-tiered redress mechanism, which includes a new Data Protection Review Court (“DPRC”).
These new safeguards represent significant enhancements on Privacy Shield. In addition, US intelligence authorities have been tasked with reviewing their policies and procedures in order to implement the new safeguards. On the same day that the executive order was signed, the European Commission published Questions & Answers: EU-U.S. Data Privacy Framework, providing an overview of the New Framework and the next steps for reciprocal implementation in the EU.
The European Commission is now expected to prepare a draft adequacy decision within six months under Article 45 of the General Data Protection Regulation, followed by a formal adoption procedure, which is currently expected to take around six months, i.e. Q2 2023.
We will continue to monitor and update on the development of the New Framework.