GDPR international data transfers: Commission’s Draft Privacy Shield Replacement

Transition period for new Standard Contractual Clauses to expire on 27 December 2022

Earlier this week the European Commission published its draft adequacy decision for the USA (press release, draft). The proposal introduces a new EU-US Data Privacy Framework (DPF) permitting data transfers from the EU to the United States.

Similar to and in continuation of the former “Privacy Shield”, the new framework will establish a system of certification through which U.S. organisations commit to a set of privacy principles issued by the US Department of Commerce.

The draft will now be reviewed by the European Data Protection Board (EDPB) and the EU Member States. Considering any comments by the EU Member States and the non-binding opinion of the EDPB, the Commission may already issue a legally binding adequacy decision in early to mid-2023.

Once effective, companies will again be able to rely on the adequacy decision as a transfer mechanism. However, data privacy activists have already noted their scepticism and may again challenge the decision before European Courts. If successful, the adequacy decision may once again only see a short life span of two to three years. Therefore, companies may seek to implement back-up and exit-strategies for alternative transfer mechanisms (e.g. Standard Contractual Clauses and Transfer Impact Assessments).

Background

Following the invalidation of the former adequacy framework “Privacy Shield” by the Court of Justice of the European Union (CJEU) in mid-2020, data transfers to the USA have been facing legal challenges for the past two years (see our client alert).

In order to address the concerns of the CJEU and after negotiations between the European Commission and the United States, US President Joe Biden issued Executive Order 14086 on ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086) in October 2022. This EO is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). Collectively these new measures shall provide an adequate level of protection as required by the GDPR and EU fundamental rights of the EU Charta.

“Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic. The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses.” Didier Reynders, Commissioner for Justice – 13/12/2022, EU Commission press release

Mandatory transition to new Standard Contractual Clauses by 27 December 2022

Absent the adequacy decision, companies currently must rely on alternative transfer mechanisms. Most prominently, companies use so-called Standard Contractual Clauses (SCCs), i.e. template contract forms issued by the EU Commission.

In this regard, the European Commission adopted modernised SCCs in June 2021 (see our client alert).

According to this decision, SCCs in their previous versions could no longer be concluded after September 2021. Old SCCs already concluded before this date must be replaced by the “new” SCCs by 27 December 2022, at the latest.

While the new clauses offer many benefits and can be implemented for a wider variety of processing situations, the modules, options and annexes must be adapted to each specific case. In practice, the additional effort is compensated by the modernised clauses, as they simultaneously address the requirements of Art 28 GDPR (data processing agreements). Additional provisions or contracts to this effect can therefore regularly be omitted.

However, when drafting the clauses, the level of data protection in the third country must be examined and, if necessary, additional guarantees must be implemented (see clause 14; ECJ in C-311/18, “Schrems II”; and our client alert on supplementary measures).