In response to the “Schrems II” Decision of the European Court of Justice (ECJ), the EU Commission published new standard contractual clauses (SCC) on 7 June 2021. While these have been binding for new contracts since last year, the implementation deadline for existing contracts is 27 December 2022. Companies should ensure now at the latest that they have concluded new contracts with their service providers. Otherwise, there is a risk of severe fines and damage compensation claims from those affected.
What are the standard data protection clauses?
The General Data Protection Regulation (GDPR) aims to ensure that the level of protection it guarantees for personal data is not undermined by data transfers to third countries. Companies have been dealing with the resulting legal problems in international data transfers for years. This is particularly true since the ECJ declared the EU-US Privacy Shield invalid and annulled the EU Commission’s adequacy decision based on it.
One way to transfer data to third countries in a privacy-compliant manner without an adequacy decision is to use SCCs. In the “Schrems II” Decision, the ECJ also formulated more stringent requirements for data transfers based on the SCCs. The new SCCs therefore provide appropriate safeguards and effective remedies to ensure that the data importers guarantee adequate protection for data in third countries. The new SSCs also impose additional obligations on companies. These include conducting a transfer impact assessment (TIA) and providing assurance that there is no reason to believe that “the laws and practices applicable to the processing of personal data by the data importer prevent the data importer from fulfilling its obligations under the standard contractual clauses.”
What’s to be done?
Companies should check whether they export data to third countries for which no adequacy decision exists. If the relevant contracts with service providers still contain old standard contractual clauses, companies should contact them immediately. If not already done, a TIA should also be performed.
However, large providers are likely already using the new SSCs. After all, the new SSCs have been mandatory for new contracts since last year, so reputable providers already had to deal with the issue anyway. If the service provider proves to be uncooperative, it should be examined whether a change to another provider is possible with reasonable effort. The time until the end of December is limited and protracted discussions with intransigent companies are only useful if their service cannot be easily replaced. This has particular practical relevance for cooperation with US service providers. Although the EU Commission is preparing a new adequacy decision that could make the conclusion of the clauses superfluous, it is by no means certain that this will be achieved by the end of the year.