GDPR - International Data Transfers – Beware of the Deadline

Pursuant to Article 45 of the General Data Protection Regulation (GDPR), a transfer of personal data to a country outside the European Union or to an international organization may take place when the European Commission has found that this third party to the Union provides an adequate level of protection of the involved data concerned.

With such approval, which takes the shape of an adequacy decision, the transfer of data does not require specific authorization. However, few non-EU countries have been granted an adequacy decision and, in other cases, strict conditions are to be abided to.

However, there is little doubt that the European IT environment is either dependent on non-EU players for technical and historical reasons (typically the GAFAMs) or has some of its IT services shared between the EU and third countries, traditionally for cost reasons. This results in unavoidable data transfers, despite the increasingly restrictive case law of the Court of Justice and the logical application of data protection and privacy’s core principles.

The aim is to ensure that personal data leaving the EU benefits from a standard of protection equivalent, if not identical, to that which they enjoy in the EU.

To achieve this, the data controller must ensure the security of all transfers, by relevant technical means and legal guarantees that it includes in its contracts with its partners.

This onerous burden lies on the data controller’s shoulders. However, he has a (very partial) tool at his disposal in the shape of standard contractual clauses (SCC). The SSCs allow the controller to comply with the requirements of Articles 45 et seq. of the GDPR.

In 2021, further to the Court of Justice’s precedence (Schrems II ruling), new SCC were adopted by the Commission. These clauses will enter into force on 27 December 2022 and must be applied by any operator by that date. Otherwise, it will be imperative for controllers to make themselves compliant as soon as possible.

However, these clauses are unsatisfactory and in fact delegate a strong responsibility to the controller. In practice, these clauses require data exporters and importers to assess themselves the legislation of the recipient countries, as well as the risks of access to the transferred data by local authorities.

The US authorities and their prerogatives under the Patriot and Cloud Acts, in particular, are the usual suspects. However, almost all non-European countries (those without an adequacy decision) are concerned.

Such an obligation to assess foreign legislation is not easy to abide to and will require discipline as well as ... common sense.

Above all, it will be up to European undertakers to take technical, organizational and contractual measures to limit as much as possible the technical risks related to data transfers from and to non-EU countries and to document the measures thus adopted.

In this respect, the addition of guarantee and audit clauses for partners, subsidiaries or co-contractors will be instrumental to safeguard any data processor’s or controller’s interests, who needs to maintain control over the processing of the transferred data. Adequate supervision of subcontracting outside the EU will also be essential. Such compliance exercise is not just a theoretical commitment to an effective monitoring of one’s contractual environment.

The new contractual clauses will enter into force on 27 December and it is never too late to comply or to review existing contracts. Their examination, review or monitoring may, moreover, be the subject of potential subsidies.