GDPR: December Deadline on Rule Changes for Ex-EU Data Transfer Arrangements

In our previous update¹, we discussed the standard contractual clauses which were adopted by the European Commission in June 2021 ("New SCCs").  Under Article 46 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), organisations that transfer personal data to a third country, without an adequacy decision, must use an appropriate transfer mechanism to protect personal data being transferred outside of the European Economic Area ("EEA").  

Deadline

From 27 December 2022, where you rely on standard contractual clauses as a transfer mechanism, the New SCCs must be used.  From this date, the original standard contractual clauses will no longer be an appropriate safeguard under Article 46 of GDPR.  

How to Comply

Organisations should now review their existing data transfer arrangements and develop an action plan for transitioning to the New SCCs before the December 2022 deadline.  The relationship(s) between data exporter(s) and data importer(s) should be analysed and the correct module of the New SCCs should be entered into between the parties.  The New SCCs can form part of existing agreements or entered into as a standalone document.  It is important to note that the New SSCs impose additional obligations on the parties including the requirement to prepare a documented data transfer impact assessment ("DTIA") (see Clause 14 of the New SCCs).  The DTIA, inter alia, documents the circumstances of the transfer, the governing laws of the third country and the supplementary measures to be imposed on the parties to protect against unauthorised disclosure and access of personal data.

Adequacy for the US?

Data transfers to the US have had increased complexity since the 2020 Schrems II decision where the pre-existing EU-US Privacy Shield Framework was annulled by the Court of Justice of the EU.  In that case, the court determined the Framework did not guarantee that personal data exiting the EU had a GDPR-equivalent level of protection.  Since that decision, organisations have used other transfer mechanisms, including SCCs, in order to transfer data to the US and comply with their GDPR obligations.  In response to the Schrems II decision, a new framework was approved in principle on 25 March 2022, following protracted negotiations between the EU and US.

On 7 October 2022, US President Joe Biden signed an executive order on 'Enhancing Safeguards for United States Signals Intelligence Activities'.  In response to it, the European Commission will now prepare a draft adequacy decision under Article 45 of GDPR, which will take approximately six months.  Should the Commission adopt the new framework, personal data can flow from the EU to the US without further safeguards being required.  Until the new framework is approved, organisations will need to rely on the existing safeguards in Article 46 of GDPR taking into account any guidance issued by regulators and industry bodies, such as the European Data Protection Board, when transferring personal data outside the EU / EEA to the US.

How the Maples Group Can Help

We can assist in preparing your New SCCs and how to demonstrate compliance, including a review of existing data transfers, data mapping, advising on available transfer tools, documenting your DTIA and supplementary measures, and engaging with local counsel where necessary.

For further information, please reach out to your usual Maples Group contact or any member of the Data, Commercial & Technology team below.

____________________________________________________________________________________________________________

^[1] https://maples.com/en/knowledge-centre/2021/6/international-data-transfers-new-transfer-sccs