The export of personal data outside the EU is subject to strict rules.The principle is that any transfer to a country that does not offer an adequate level of protection is prohibited. There are only few countries outside the EU to which personal data can be freely transferred (Andorra, Argentina, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom, Uruguay and Canada & Japan in certain cases).
The United States is thus not part of this private circle, especially since the alternative safeguards approved at EU level (Safe Harbor and then Privacy Shield) have been successively invalidated by the ECJ (2015: Schrems I and 2020: Schrems II).
➡️ One way for data controllers and processors under the GDPR to transfer data outside the EU to a country that does not ensure a sufficient level of data protection is to use the European Commission's standard contractual clauses (SCCs). ➡️ However, it has recently been ruled (Schrems II) that SCCs are not necessarily sufficient as such to regulate the transfer of personal data outside the EU. ➡️ Before using them, entities must ensure that the applicable local law does not undermine the effectiveness of the protection required by EU law and the guarantees provided by the SCCs. If not, additional measures must be taken or the transfer must be renounced (see Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data).
🕛
The previous SCCs were repealed on 27 September 2021 and replaced by a new, more comprehensive set of clauses. The new SCCs must be used from 27 December 2022 for DPAs already in place before 27 September 2021 and used from this date for new DPAs .
🕛
The new SCCs cover transfers between : 🔹 EU and non-EU controllers 🔹 EU controllers to non-EU processors. 🔹 (🆕) EU processors to non-EU controllers and, 🔹(🆕) EU processors to non-EU processors.
💡 In practice, what shall EU entities do prior to the transfer of personal data outside the EU or to use a non-EU processor on the basis of SCCs ? 💡 ✔️ Step 1: Map the different transfers of personal data and determine their role in them (controller or processor); ✔️ Step 2: Map the legal basis of the transfer (adequacy decision, SCCS, data subjects’ consent, BCR, etc.). ✔️ Step 3: Make a transfer risk assessment. Where transfers are based on SCCs, assess the legislation and case law of the third country: are they equivalent to the protection offered by the GDPR? Are they likely to affect the effectiveness of the SCCs ? ✔️ Step 4: If you conclude from this analysis that the third country's legislation is not equivalent to that of the GDPR and/or likely to affect the effectiveness of the SCCs, put in place appropriate additional measures to achieve the required level of protection, depending on the particulars of the transfer, such as for instance encryption, pseudonymisation, contractual obligation to use specific technical measures or requiring increased transparency requirements, implementation of internal policies for governance of transfers, etc.
Written by Claire Leonelli and Claire Denoual, Avocats à la Cour