Last year, on June 4, 2021, the European Commission published a new model contract (in English: “Standard Contractual Clauses” or abbreviated “SCCs”) for the transfer of personal data to countries outside the European Economic Area (“EEA“). The old model contracts were no longer to be used for new transfers of personal data as of September 27, 2021. Model contracts agreed before this date remained valid, but not indefinitely. As of next December 27, international transfers may no longer be legitimized with these old model contracts. This blog explains what this means for your organization.
Old model contracts
The European directive that applied before the advent of the General Data Protection Regulation (“GDPR“) already included rules for the transfer of personal data to a country outside the EEA. Based on this directive, the old model contracts were drawn up. However, these old model contracts proved challenging in practice. Moreover, they did not align with the GDPR. Therefore, the European Commission has drafted a new model contract and it entered into force on June 27, 2021. The new model contract has eliminated practical challenges in contracting and is obviously in line with the GDPR. In this blog, you can read more about international transfers and why you can or even should use the model contracts.
What happens on December 27, 2022?
Article 4 of the European Commission’s decision includes a transition period to start using this new model contract. By Dec. 27, any retransmission is based on an old model contract must have the new version in place.
In concrete terms, this means that if your organization is currently using model contracts, it must be assessed whether these have now been replaced for the new model. If not, you should do so as soon as possible.
Data transfer impact assessment
The new model contract also includes new obligations. One such obligation is that both the data exporter (covered by the GDPR) and the data importer (outside the EEA or an international organization) must assess whether the data importer can fulfill its obligations in the model contract (Article 14 of the new model contract). This is also known as a data transfer impact assessment (“DTIA“). This involves identifying the national law applicable to the data importer’s processing of personal data and enforcement by national authorities in that country. It should then be assessed whether there are any laws or customs that prevent the data importer from complying with the agreements in the model contract.
This is the case, for example, when the data importer may be required by a national law to provide all personal data to a government agency. If such an obligation exists, then it should be assessed whether additional measures can be taken to still protect the personal data. If this is not possible, then it may be necessary to stop the transfer. This is a far-reaching assessment that requires effort from both parties. The European Data Protection Board (“EDPB“) has prepared recommendations for using the model contract and conducting a DTIA. These can be found here.
Whether the Personal Data Authority will actually and equally enforce this section as of December 27 is not clear. In any case, the European Court ruled in the Schrems II case that supervisory authorities are obliged to suspend or prohibit transfers when an adequate level of protection is not ensured.