According to the EU General Data Protection Regulation, the transfer of personal data to countries outside the EU/EEA is only permitted if an adequate level of data protection can be guaranteed.
Due to the "Schrems II" ruling, the legal basis for data transfers to the USA has ceased to exist. The UK will only be treated as an EU member for data protection purposes until 30 June 2021.
With an adequacy decision for the UK and new standard data protection clauses, the EU Commission wants to create the basis for legally secure data transfers.
Brexit, the "Schrems II" ECJ ruling and outdated standard data protection clauses have caused a lot of uncertainty in data exchange with non-EU countries. Now, the EU Commission is about to take crucial decisions intended to increase the protection of global data flows and ensure legally secure data transfers. Companies will be confronted with numerous changes as a result.
Ongoing uncertainty about data transfers to third countries
The EU General Data Protection Regulation (GDPR) only permits the transfer of personal data to third countries (outside the EU/EEA) if an adequate level of data protection can be guaranteed in the respective country. The safest guarantee is an “adequacy decision”, with which the EU Commission officially declares the level of data protection of a state to be adequate. EU companies can then transfer personal data without additional restrictions - at least as long as the adequacy decision is effective. Such a decision also existed for the USA, the EU-US Privacy Shield. However, as was widely publicised, this was declared null and void in mid-2020 by the "Schrems II" ruling of the ECJ. The legal basis for data transfers to the USA thus disappeared at a stroke.
If there is no valid adequacy decision, the GDPR provides for various other instruments to guarantee the required level of data protection in a third country. The standard data protection clauses or standard contractual clauses (SCCs) are of the greatest practical relevance. By concluding these, data transmitting and data receiving companies mutually undertake to comply with appropriate data protection rules. The current SCCs date back to the pre-DSGVO era. They have therefore been in need of revision for a long time and are sometimes difficult for companies to handle. In its "Schrems II" ruling, the ECJ also formulated strict requirements for data protection-compliant transmission on an SCC basis.
Brexit also caused additional uncertainty in cross-border data transfers. Since this year, the United Kingdom has formally been a third country.
Data exchange with the United Kingdom to remain possible without additional requirements
The data transfer problem that arose with Brexit was initially postponed until 30 June 2021. Despite leaving the EU, the United Kingdom will until that date continue to be treated as an EU member under data protection law due to the EU-UK trade agreement. In order to ensure that data transfers remain possible without additional requirements, the EU Commission launched an adequacy decision for the UK on 19 February 2021, which is expected to be adopted within the transition period.
As soon as the adequacy decision takes effect, companies must revise their internal documentation on data exchange with the UK and, if necessary, their data protection notices accordingly. They should also note that the current draft of the decision only provides for a four-year validity period - with an option to extend after prior review. However, it cannot be ruled out that the decision will lose its validity before then. Should the data protection situation in the UK deteriorate significantly in the future, the EU Commission can and must revoke, amend or suspend the decision prematurely. There is also the possibility that the decision - as in the "Schrems II" case - will be declared null and void by the ECJ. For companies, this means that although the data protection challenges triggered by Brexit seem to have been averted for the time being, the upcoming changes should be taken into account and developments should be kept under review.
Standard data protection clauses 2.0
For data transfers to third countries without an adequacy decision, companies should prepare for even more far-reaching changes. For the standard contractual clauses on which such transfers are often based, the EU Commission published a draft of a new version at the end of 2020. The new SCCs are not only much more comprehensive, but also much more specific than the previous ones. They reflect the relevant GDPR provisions in contractual form and take into account the latest ECJ requirements. The new clause sets are modular, with the choice of individual modules depending on the roles (controller/processor) of the data exporters and importers. Among other things, the new clauses define that the legal situation of the respective third country must be assessed and how this must be done, and stipulate that this assessment is to be documented, continuously reviewed and, if necessary, made available to the supervisory authorities.
The European Data Protection Board (EDSA) and the EU Data Protection Supervisor (EDPS) have welcomed the SCC draft in principle. In a joint opinion of January 2021 (Joint Opinion 2/2021), however, they called for numerous clarifications as well as additional tightening in individual cases, for example with regard to documentation requirements or liability. The EU data protection authorities apparently wished to contribute to providing the clauses with a maximum of contractual protection. It remains to be seen to what extent the EU Commission will follow the recommendations.
As of the date the new standard contractual clauses become valid, data transfers can no longer be based on the previous SCCs. Companies should therefore prepare themselves for corresponding contractual adjustments with their business partners and group companies in third countries. The new SCCs are likely to be unusually detailed for many third-country companies, but this will also make it easier to derive concrete guidelines for action. Just like the previous SCCs, however, the new clauses are not the sole solution for data protection-compliant transfers in case of doubt. If individual SCC obligations cannot be complied with due to the local laws of the respective third country, such deficits must be compensated for by additional technical and/or organisational measures specific to the individual case.
In view of possible fines of up to 4% of the worldwide (group) annual turnover, companies are faced with considerable challenges due to the uncertainties of data transfer to third countries. The resolutions initiated by the EU Commission address the biggest problems in this area at present. For companies, the planned changes bring a great deal of legal certainty and also entail a certain amount of implementation work.
The experts at KPMG will be happy to provide you with an analysis of how much your company is affected by the emerging changes and what adjustments need to be made for data transfer.