Personal data transfers from the European Economic Area (“EEA”) to most other countries, including the United States, require companies to take prompt compliance action. The General Data Protection Regulation (“GDPR”) requires that transfers of EEA personal data outside of the EEA to have adequate levels of protection in the destination country where the data is received. For transfers to the United States, businesses primarily relied on Privacy Shield and European Commission approved Standard Contractual Clauses to document meeting this requirement. On July 16, 2020, the EU Court of Justice (ECJ) invalidated Privacy Shield based on the potential interference with data subject rights caused by US government surveillance in a case that has come to be known as Schrems II. Schrems II went beyond invalidating the Privacy Shield and cast a cloud over Standard Contractual Clauses as well, suggesting that assessments of some sort would need to be made to ensure that the Standard Contractual Clauses were meeting these requirements.
The European Commission and European Data Protection Board in June of 2021 provided clarity about what these steps must include. Importantly, the European Commission released new Standard Contractual Clauses addressing some of these issues that it is requiring all business to use instead of the prior Standard Contractual Clauses. The new Standard Contractual Clauses must be implemented imminently by businesses in relevant contracts starting September 27, 2021. All existing contracts relying on the prior Standard Contractual Clauses must be converted to the new Standard Contractual Clauses by December 27, 2022.
Note that updating contracts is just one piece of solving the Schrems II compliance puzzle. Both the updated terms of the new Standard Contractual Clauses and recommendations issued by the European Data Protection Board make clear that compliance obligations on this front will not be met by merely signing contracts. An affirmative obligation exists on businesses to conduct a complex assessment of what laws and practices such as government surveillance laws might impinge upon European personal data once it is transferred outside of the EEA. If this assessment reveals a gap in protection under the laws of the recipient country, companies must develop and implement technical, organizational and/or contractual measure in such a manner as to resolve this concern or cease the data transfer.
Our attorneys can assist your business in navigating this complex compliance web. Please reach out if you would like assistance.