The issue of transfer of personal data from the EU countries to the United States has raised many questions
for years, while its legal framework has rapidly evolved. Said personal data transfer is governed under
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”). However, the detailed procedures for the transfer are subject to still further changes. These include, among others: contractual stipulation of appropriate safeguards, binding corporate rules, and issuance of the adequacy decision by the European Commission (“EC”) confirming adequate level of protection. In recent years, the last method proved to be ineffective, as following rulings of the Court of Justice of the European Union, two programs previously approved by the EC aimed at regulating the issue: Safe Harbour and Privacy Shield, were cancelled. Thus, standard contractual clauses remain one of the basic methods to ensure safe and legal transfer of personal data to third countries.
On 4 June 2021, to meet the demand for a new mechanism enabling transfer of personal data to countries outside the EU, the European Commission adopted a new set of contractual clauses. The term contractual clauses refers to provisions in a contract
between counterparties, in this particular case, ensuring an adequate level of security and confidentiality of the data being transferred. The new model clauses comply with GDPR and assumedly meet market requirements. An example of that is their design, referred to as modular. It should enable counterparties to develop extensive clauses in an easy and transparent manner, depending on what type of transfer is contemplated under the relevant agreement.
The new set of standard contractual clauses falls into three sections: general clauses, special clauses, and schedules. The general clauses apply to all types and scenarios of transfer (e.g. preliminary or contract termination clauses). Special clauses have a narrower scope of application. It is these clauses that offer modular construction referred to above. There are four separate modules:
- Transfer between a controller and a controller in a third country;
- Transfer between a controller and a processor in a third country;
- Transfer between a processor and a processor in a third country;
- Transfer between a processor and a controller in a third country.
Each of the modules listed above requires to be tailored to the relevant facts and nature of the contract. The third section of the new standard contractual clauses are schedules that include, among other things, a list of parties and a description of transfers, technical and organizational measures, and a list of processors.
The new contractual clauses took effect on 27 June 2021. But what about contracts drawn up based on the previous set of standard contractual clauses? They can remain unchanged for 18 months from the date of promulgation of the new clauses (until 27 December 2022). After that time, contracts and data transfer procedures must be realigned with the new regulations.
The exception is when the processing operations contemplated under the contract change. Under such circumstances, the standard contractual clauses of 27 June 2021 should be applied when drafting amendments to the contract.
The introduction of new standard contractual clauses was a much needed development. The new clauses not only comply with GDPR and judgments of the Court of Justice of the European Union, they also make it much easier to draft contracts for transfer of personal data to third countries, while at the same time ensuring security of the process. They are also much easier to use, more diverse, and are a better fit with the current realities. Therefore, it seems that they should at least to some extent clean up the legally wobbly issue of personal data transfer to countries outside the EU.