The issue of transfer of personal data from the EU
countries to the United States has raised many questions
for years, while its legal framework has rapidly
evolved. Said personal data transfer is governed under
Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of
personal data and on the free movement of such data
and repealing Directive 95/46/EC (General Data
Protection Regulation) (“GDPR”). However, the detailed
procedures for the transfer are subject to still further
changes. These include, among others: contractual
stipulation of appropriate safeguards, binding
corporate rules, and issuance of the adequacy decision
by the European Commission (“EC”) confirming
adequate level of protection. In recent years, the last
method proved to be ineffective, as following rulings of
the Court of Justice of the European Union, two
programs previously approved by the EC aimed at
regulating the issue: Safe Harbour and Privacy Shield,
were cancelled. Thus, standard contractual clauses
remain one of the basic methods to ensure safe and
legal transfer of personal data to third countries.
On 4 June 2021, to meet the demand for a new
mechanism enabling transfer of personal data to
countries outside the EU, the European Commission
adopted a new set of contractual clauses. The term
contractual clauses refers to provisions in a contract
between counterparties, in this particular case, ensuring
an adequate level of security and confidentiality of the
data being transferred. The new model clauses comply
with GDPR and assumedly meet market requirements.
An example of that is their design, referred to as
modular. It should enable counterparties to develop
extensive clauses in an easy and transparent manner, depending on what type of transfer is contemplated
under the relevant agreement.
The new set of standard contractual clauses falls into
three sections: general clauses, special clauses, and
schedules. The general clauses apply to all types and
scenarios of transfer (e.g. preliminary or contract
termination clauses). Special clauses have a narrower
scope of application. It is these clauses that offer
modular construction referred to above. There are four
separate modules:
- Transfer between a controller and a
controller in a third country; - Transfer between a controller and a
processor in a third country; - Transfer between a processor and a
processor in a third country; - Transfer between a processor and a
controller in a third country.
Each of the modules listed above requires to be tailored
to the relevant facts and nature of the contract. The
third section of the new standard contractual clauses
are schedules that include, among other things, a list of
parties and a description of transfers, technical and
organizational measures, and a list of processors.
The new contractual clauses took effect on 27 June
2021. But what about contracts drawn up based on the
previous set of standard contractual clauses? They can
remain unchanged for 18 months from the date of
promulgation of the new clauses (until 27 December
2022). After that time, contracts and data transfer
procedures must be realigned with the new regulations.
The exception is when the processing operations
contemplated under the contract change. Under such
circumstances, the standard contractual clauses of 27
June 2021 should be applied when drafting
amendments to the contract.
The introduction of new standard contractual clauses
was a much needed development. The new clauses not
only comply with GDPR and judgments of the Court of
Justice of the European Union, they also make it much
easier to draft contracts for transfer of personal data
to third countries, while at the same time ensuring
security of the process. They are also much easier to
use, more diverse, and are a better fit with the current
realities. Therefore, it seems that they should at least to
some extent clean up the legally wobbly issue of
personal data transfer to countries outside the EU.
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of certain recent legal
developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any decision as to a particular course of action;
nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases. The services of a competent professional adviser should be obtained
in each instance so that the applicability of the relevant legislation or other legal development to the particular facts can be verified.