On 16 July 2020, the European Court of Justice declared the EU-US privacy shield invalid, because the US government does not sufficiently protect personal data. As a result, companies are no longer allowed to simply transfer personal data from the EU to the US. According to the Court, model contracts (Standard Contractual Clauses) can provide a valid basis for transferring data to countries outside the EU. But only if an equivalent level of protection can be guaranteed in practice. To this end, a Data Transfer Impact Assessment must first be carried out. What does a Data Transfer Impact Assessment entail? And how can it be carried out?
Data transfer based on Standard Contractual Clauses
A transfer of personal data to a third country should only take place if appropriate safeguards are put in place. Such safeguards can be provided by using a model contract approved by the European Commission: Standard Contractual Clauses (SCC). These contain provisions that offer appropriate safeguards, i.a. by setting out the obligations and liabilities of both parties.
The European Commission has recently approved a new model contract that companies can use for the transfer of personal data from the EU to countries outside the EU. The new model contract takes into account the judgment in the Schrems II case. Among other things, it contains an overview of the steps that companies must take to comply with the GDPR. In addition to using the SCC, the third country in question must have an equivalent level of protection. This is not the case if the recipient in the third country is unable to fulfil its obligations under the SCC due to the third country’s legislation. Simply concluding the SCC is therefore no longer sufficient. Companies that transfer personal data to countries outside the EU must perform a risk analysis for each transfer. This is also called a Data Transfer Impact Assessment.
How to perform a Data Transfer Impact Assessment
In a Data Transfer Impact Assessment, parties assess whether there are reasons to believe that the laws and practices in the third country of destination prevent the recipient from fulfilling its obligations under the SCC. This includes legislation that requires the recipient to provide personal data. Or legislation that allows access by public authorities. To make this assessment, the risk analysis should cover the following topics:
- the specific circumstances of the transfer. Including the length of the processing chain and the number of actors involved, as well as the channels used for the transmission and the intended further transfers. Other circumstances are the type of recipient, the purpose of the processing and the categories of personal data. Finally, the number of personal data, the economic sector in which the transfer takes place and the location where the transferred data is stored is important.
- the laws and practices of the third country of destination. Including the laws and practices that require to provide data to government agencies. Or laws and practices permitting access by such authorities.
- the contractual, technical or organisational safeguards that are put in place in addition to the SCC. Including measures applied during the transmission and to the processing of the personal data in the country of destination. This could include, for example, encryption and pseudonymization.
If adequate safeguards cannot be provided due to the circumstances of the transfer and possible additional measures, the provider must suspend or terminate the transfer of personal data.
What does this mean for your data transfer?
Both the data provider and recipient must document the risk analysis under the new SCC and make it available to the privacy regulator upon request. Companies have to start using the new SCC as of 27 September 2021. Companies that already use a model contract as a transfer tool, have until 27 December 2022 to bring their current contracts in line with the new SCC. Organisations must therefore now check whether they are using the old model in current contracts. If so, they will have to switch to the new model contract. In doing so, parties must still perform a Data Transfer Impact Assessment.