The FIFA World Cup Qatar 2022 may have just kicked off for international football teams. For multinational businesses that process personal data, two recent developments should be a priority on their tactics board:
- Final whistle on the old SCCs: The fast-approaching (data) transfer deadline day to implement new EU standard contractual clauses (SCCs) of 27 December 2022.
- A welcome new signing: President Biden's Executive Order, a recent development towards a US adequacy decision under the proposed EU-US Data Privacy Framework.
1. Final whistle on the old standard contractual clauses (SCCs)
Businesses relying on the pre-2021 versions of the SCCs as a transfer tool to comply with the General Data Protection Regulation (GDPR) have until 27 December 2022 to meet new compliance standards.
These new compliance standards are driven by the European Commission's adoption of new SCCs and impact many businesses processing and transferring personal data outside the European Union (EU).
In June 2021, the European Commission adopted new SCCs, replacing its legacy set of SCCs, giving businesses new compliance standards to meet within specific grace periods. There are two critical impacts associated with the new SCCs:
- Ongoing transfers - For existing transfers currently legitimised based on the legacy SCCs, all businesses must transition from the legacy SCCs to the new SCCs by 27 December 2022. At a practical level, any legacy SCCs to which businesses are a party (or their service providers as their agents) need to transition to the new SCCs before 27 December 2022. Following 27 December 2022, relying on the previous SCCs to legally transfer personal data outside of the EU will no longer be possible. Businesses that still need to update their contracts will face the risk of non-compliance with the GDPR.
- New transfers - For new arrangements to be legitimised based on SCCs (e.g. arising from new contracts between businesses), it has been mandatory to use the new SCCs since 27 September 2021.
Making an impact (Data Transfer Impact Assessments) In addition to re-papering legacy SCCs, following the Schrems II case (see our previous articles here and here), other additional compliance standards need to be actioned by businesses in conjunction with the new SCCs in the context of international data transfers.
When an EU-based business transfers personal data to a third country outside the European Economic Area, it must conduct a due diligence exercise on the local laws and practices of such "inadequate" third countries via an assessment known as a data transfer impact assessment (DTIA).
The objective of any DTIA is to determine the gaps in the laws and practices of a third country in the context of a specific transfer, where it is not deemed "adequate" for data protection standards by the EU.
Once a DTIA is completed, the identified gaps must be bridged by way of supplemental measures, i.e. organisational, technical and/or contractual measures agreed between the parties to the transfer so that personal data which is subject to the GDPR continues to have the protections of the GDPR standards when processed in the relevant third country.
2. A welcome new signing
In October 2022, US President, Joe Biden, signed an Executive Order (EO) which allows for a new data transfer framework between the EU and the US. The EO is a significant milestone for EU-US transfers as it makes way for:
- The European Commission to commence the ratification process for a US adequacy decision for transfers to the USA. This new process for transfers to the USA will be based on what is known as the "EU-US Data Privacy Framework" (DPF).
- The establishment of new privacy and civil liberties safeguards in the US concerning the activities of US surveillance/intelligence authorities.
The EO is one of three elements of the US adequacy framework under the DPF, the successor to the EU-US Privacy Shield. The DPF consists of the following:
- The US Department of Commerce privacy principles (as per the Privacy Shield). We expect these principles to be updated to at least refer to the GDPR.
- The EO.
- The US Department of Justice regulations. These regulations will make way for a two-tier redress mechanism in the US.
Early indicators are that the EU will deem it effective and that businesses can expect the European Commission's adequacy decision in spring 2023. There remains work to be done on both sides of the deal, with the potential for legal challenges by various EU institutions.
If passed in the EU, the DPF will assist those seeking to transfer data to the USA. There are also indicators that it will help companies conduct DTIAs for US transfers.
Next steps forward
Businesses must act now to replace any legacy sets of SCCs to which they are currently contracted with new SCCs by 27 December 2022