Why Businesses are Busy Now Updating Compliance Around Transfers of European Data to Comply with a September 27 Deadline—And Why Yours Should be Too.

Robins Kaplan LLP
Contact

Robins Kaplan LLP

Personal data transfers from the European Economic Area (“EEA”) to most other countries, including the United States, require companies to take prompt compliance action. The General Data Protection Regulation (“GDPR”) requires that transfers of EEA personal data outside of the EEA to have adequate levels of protection in the destination country where the data is received. For transfers to the United States, businesses primarily relied on Privacy Shield and European Commission approved Standard Contractual Clauses to document meeting this requirement. On July 16, 2020, the EU Court of Justice (ECJ) invalidated Privacy Shield based on the potential interference with data subject rights caused by US government surveillance in a case that has come to be known as Schrems II.  Schrems II went beyond invalidating the Privacy Shield and cast a cloud over Standard Contractual Clauses as well, suggesting that assessments of some sort would need to be made to ensure that the Standard Contractual Clauses were meeting these requirements. 

The European Commission and European Data Protection Board in June of 2021 provided clarity about what these steps must include. Importantly, the European Commission released new Standard Contractual Clauses addressing some of these issues that it is requiring all business to use instead of the prior Standard Contractual Clauses. The new Standard Contractual Clauses must be implemented imminently by businesses in relevant contracts starting September 27, 2021. All existing contracts relying on the prior Standard Contractual Clauses must be converted to the new Standard Contractual Clauses by December 27, 2022. 

Note that updating contracts is just one piece of solving the Schrems II compliance puzzle. Both the updated terms of the new Standard Contractual Clauses and recommendations issued by the European Data Protection Board make clear that compliance obligations on this front will not be met by merely signing contracts. An affirmative obligation exists on businesses to conduct a complex assessment of what laws and practices such as government surveillance laws might impinge upon European personal data once it is transferred outside of the EEA. If this assessment reveals a gap in protection under the laws of the recipient country, companies must develop and implement technical, organizational and/or contractual measure in such a manner as to resolve this concern or cease the data transfer. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robins Kaplan LLP

Written by:

Robins Kaplan LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robins Kaplan LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide