After the Schrems II ruling struck down the Privacy Shield, EEA and US companies were left without a satisfactory framework for transferring personal data between the EEA and the US. European companies using US cloud services can still use the EU Standard Contractual Clauses as a basis, but are themselves responsible for documenting the specific measures that prevent access by US authorities. Businesses therefore face great regulatory risks and uncertainties.

In response to this challenge, the European Commission reached an agreement this spring with the United States on the modalities for setting up a new transfer framework called “The Trans-Atlantic Data Privacy Framework” for transfers to United States. The framework has not yet been finalized and there are still uncertainties as to how companies can practically transfer personal data between the EEA and the United States. What should businesses do in the meantime?

Frame uncertainty

It is estimated that the new framework will arrive towards the end of 2022, but no official date has been announced. It is reasonable to assume that it will take longer. The contents of the framework have not been published and we do not know where the work is. Furthermore, it is not certain that the framework will survive a possible review by the Court of Justice of the EU, which NOYB and Max Schrems have warned. The new framework faces the same legal challenges that plagued its Privacy Shield and Safe Harbor predecessors.

For now, US officials have said the transatlantic data privacy framework will not involve changes to surveillance laws that the European Court of Justice has ruled too intrusive. It is therefore not inconceivable that the Trans-Atlantic Data Privacy Framework will suffer the same fate as its predecessors, when NOYB takes the case to court.

Complicated intermediate phase

But regardless – until a new framework is in place, companies wishing to transfer personal data to the United States in accordance with the Schrems II judgment should ensure that additional security measures are in place and assess whether the measures provide sufficient security for a legal transfer. In practice, this now means entering the recently updated EU Standard Clauses with an associated Transfer Impact Assessment (preferably referred to as a Transfer Impact Assessment, “TIA”) and, if necessary, complete with encryption and other measures.

CCS and AIT

The reason for this is that the Court of Justice of the European Union, in the Schrems II judgment, upheld the right to use the EU standard clauses for transfers to third countries (SCC), given that companies that rely on CSC have a concrete impact assessment that CSC offers a sufficient level of protection in practice. The assessment is temporarily complicated and could result in the transfer not being possible without significant additional costs or not possible at all.

Christmas in Rome is the deadline for the update

Following the Schrems II judgment, the European Commission adopted updated CPCs. Standard clauses cannot now be concluded on the old models and existing contractual relationships established on the old SCCs will only be valid until 27 December 2022. Companies that have not yet updated their SCCs must therefore s Make sure to check them now and update them before the deadline is missed.

Complicated risk assessment

However, a requirement of the new CSCs is that the parties must satisfy themselves that they have no reason to believe that the legal requirements or practices of the country outside the EEA prevent the data importer from fulfilling its obligations. confidentiality under the contract. In this regard, the parties must take into account a number of complex issues such as the specific circumstances of the transfer, the laws and practices of the third country and the relevant contractual, technical and organizational safeguards to complete the contractual provisions.

As it is expected not only to assess the law of the third country, but also the current practice, companies wishing to transfer personal data to a third country must carry out a complete assessment of the legal situation of the country. third. This is a demanding and costly exercise, rarely realistic for small businesses.

And now?

It is high time to set up a transfer mechanism facilitating transatlantic transfers of personal data. So far, no new framework is in place and companies still have to rely on SCCs with associated TIA. Small consolation is that these assessments are increasingly streamlined, but access to expertise is scarce and expensive.

If “The Trans-Atlantic Data Privacy Framework” is adopted before Christmas, the update will be useless. But as long as we do not know if these will be adopted before Christmas, the update must be done. The advantage is that you will also have a basis for transfer in case the Court of Justice of the EU also rejects the new rules. Companies that nevertheless choose, or are forced to wait for a new transfer framework rather than use SCCs, therefore risk violating the GDPR.