Schrems II (ECJ 16.07.2020, C-311/18) and the associated end of the adequacy decision for the United States of America (the EU-US Privacy Shield) has really shaken up the cooperation of European companies with US service providers. With the ruling of the European Court of Justice (ECJ), the convenient basis for the transfer of data from the European Union (EU) to the United States (US) has ceased to exist – from one second to the next, long-standing relationships with US service providers became illegal under European data protection law.
Many US services reacted promptly and switched to the EU Standard Contractual Clauses virtually overnight. These were old, but according to the ECJ explicitly still suitable as an adequate guarantee for data protection transfers outside the European Economic Area. However, the ECJ required additional appropriate safeguards. This in turn prompted the European Data Protection Committee (EDSA) to adopt recommendations. Meanwhile, the European Commission tried to negotiate a new adequacy decision with the US as soon as possible. Realizing that European business could not wait for this political and diplomatic arrangement, the European Commission revised the outdated standard contractual clauses and published new Standard Contractual Clauses (SCC New) in June 2021.
What lies ahead for companies with the new EU Standard Contractual Clauses
The SCC New can now be agreed between a controller or processor in the EU (Data Exporter) and one in a third country (Data Importer). And the clock is ticking. By the Christmas holidays in 2022, all data transfers to third countries must have been converted – at least if Standard Contractual Clauses form the basis.
With the changeover, there is also a small but subtle relief: If SCC New are agreed with a processor, the clauses already cover the minimum requirements for the processor contract (Art 28 GDPR).
Guarantee declaration as a central element for data transfers
The central element of the SCC New is the guarantee declaration by the Data Exporter that it has satisfied itself that the Data Importer can comply with the obligations arising from the SCC New. In short: an active compliance obligation for every data controller or processor who transfers personal data to a third country.
Another element of this guarantee statement concerns the following assurance: “The Parties warrant that they have no reason to believe that the laws and practices […] prevent the data importer from fulfilling its obligations under these Clauses.” In short: The law in the third country must not conflict with the European understanding of data protection. The basis of this presumption is an overall assessment consisting of the transfer circumstances, the processing chain, the industry and storage location, the legal system in the third country, and the contractual, technical or organizational safeguards taken. For the last point, again the European Data Protection Board has published recommendations.
Transfer Impact Assessment as a tool for risk-based data transfer
In order to manage the compliance associated with the guarantee declaration in accordance with the SCC New in an efficientway during ongoing operations, we recommend to conduct a Transfer Impact Assessment (TIA) on a regular basis. A risk-based, data-protection-management approach that ensures legally compliant data transfer through checks and plausibility testing.
As it’s not just the mandatory tasks of the Data Importer that must be ensured and the assessment of the situation in the third country, the new SCC provide for close cooperation and a committed exchange between Data Exporter and Importer at numerous points. Deadlines must be ensured and processes must be established.
Third-party beneficiary clause as a pitfall
With the agreement of the SCC New, data subjects are automatically granted comprehensive third-party beneficiary rights. They can thus invoke large parts of the contractual provisions and take legal action against all parties to the clauses in court or before the data protection authority.
Companies should therefore urgently review and update their data protection contracts. In the event of a breach, there is a risk not only of civil action by the persons affected, but also of massive fines of up to EUR 20 million or 4% of the previous year’s global turnover.