International data transfer: do the new, standard EU contract clauses help middle-sized companies?

 The clauses in old contracts must be updated within 18 months.

Tobias Vößing

International data transfer: do the new, standard EU contract clauses help middle-sized companies?

On June 4, 2021, the EU Commission published the new standard contract clauses for the international transfer of personal customer and employee data. This aims to create greater legal security and, in particular, help small and middle-sized companies. However, data protection officers face a lot of work.

The EU Commission saw a need for action for two reasons: firstly, the existing clauses originate from the time before the EU General Data Protection Regulation (GDPR), which has been in force for two years.

Tough hurdles due to Schrems II judgment

In particular, the Schrems II judgment from the European Court of Justice(CJEU) dated July 16,2020 confronts companies with problems which are difficult to resolve if they intend to transmit personal information to cloud or IT service providers with data centers in third-party countries, namely countries outside of the EU or the European Economic Area (EEA). The judges in Luxembourg declared the Privacy Shield invalid. This was negotiated between the EU and the USA to create a protective shield for the transatlantic transfer of personal data. US law would permit such extensive access by intelligence services and security authorities, that the data protection standard does not comply with that of the EU, the CJEU stated. As a consequence, this eliminated the most important legal foundation for the transatlantic flow of personal customer and employee data for companies.

Lack of reliable and practical regulations

At the same time, the Luxembourg judges attached very strict conditions to the use of the standard contractual clauses on which the data flow to third-party countries is also very frequently based in practice. As a consequence, the contract partners commit to comply with the European data protection standards if, for example, a cloud provider stores customer data at data centers in the USA. Or if an IT service provider located in the United States is granted access to servers in Europe. According to the CJEU, the data exporter needs to examine the individual cases in advance: Do the circumstances of the data transfer or the technical protective measures such as encryption or pseudomyzation guarantee an adequate level of protection? Due to the lack of reliable and standardized guidelines from the data protection authority, companies now often have no idea how to proceed: When are the security measures adequate? Even the Recommendations of the European Data Protection Board (EDPB) only provide a limited degree of assistance.

Comprehensive risk analysis remains

The EU Commission intends to remedy the situation with the new standard contract clauses. In truth, there is greater legal security: In particular, clauses 14 and 15 do justice to the Schrems II judgment and the proposals from the data protection authorities. However, the new standard contract clauses also stipulate that the transfer of personal data shall be prohibited if the law and legal practices in third-party countries prevent the data importer from complying with the safety measures. Customers are obliged to carry out an analysis of the data transfer consequences, known as a Transfer Impact Assessment. They must make certain that the contract partner in the third-party country can fulfill the obligations imposed by the standard contract clauses. In practice, data protection officers have to continue analyzing each specific case: Which laws and the third-party country apply for data transfer? And do these collide with the guarantees stipulated in the standard contract clauses under certain circumstances?

React rapidly

Companies should take action quickly:

  • As of September 29,2021, all newly concluded contracts must comply with the new version.
  • In old contracts, the existing standard contract clauses must be replaced with the new clauses within 18 months or by December 27, 2022. This requires an assessment of the company itself and also of the subsidiaries.
  • In addition, data protection officers must examine the legal situation in the third-party country and obtain information from the contract parties in the third-party countries about the safety measures such as encryption, anonymization or pseudomization that they used to address the particular risks of the data transfer to the third-party country. Under some circumstances, it may make more sense to switch to European providers.
  • Comprehensive documentation of the risk assessment is essential. Since June 1, 2021, many data protection authorities have already begun sending out questionnaires asking how companies deal with the consequences of the Schrems II judgment for international data transfer.

While the EU Commission has taken plenty of time to adapt the standard contract clauses to the GDPR, which took effect in May 2018, it demands far more rapid action from companies. In particular, small and medium-sized companies now face the Herculean task of analyzing the risks of their specific data transfer. A successor agreement to the EU-US Privacy Shield would be truly legally reliable.