Max Schrems Strikes Again

You must now promptly update your Standard Contractual Clauses to maintain a legal basis for the cross-border transfer of personal data.

As background: the General Data Protection Regulation (“GDPR”) stipulates that international personal data transfers can only be made to countries deemed to have adequate privacy regimes. “Adequacy” is determined by the EU Data Protection Authority (“DPA”). International companies often have residences in non-EU countries deemed “not adequate”.

(The jokes write themselves, folks.)

How does such a company transfer corporate data internationally? One solution is to issue “Binding Corporate Rules” that create strict standards for the “processing” of personal data among corporate entities. A more popular mechanism for transference is adopting the Standard/Model Contractual Clauses (“SCCs”) approved by the DPA.

US companies are targets because Europe deems the US to not have adequate privacy protection. Due to the billions of dollars of commerce between the US and the EU, the US Department of Commerce negotiated a certification program entitled, “Safe Harbor”. Austrian activist Max Schrems sued, and that program was invalidated by the Irish Courts. He also sued to invalidate its replacement, “Privacy Shield”…and won again.

This means that, if you rely on the Privacy Shield, you should also rely on another mechanism that is lawful. New SCCs have been finalized and officially published. This unfortunately means that the existing SCCs are repealed as of 27 September 2021. (Contracts concluded on the basis of the existing SCCs remain valid until 27 December 2022.)

Our recommendation: review your mechanisms for cross border transfers of personal data outside the EU.

Review your SCCs and update to the new standard (which requires, among other things, more due diligence).

If currently certified as Privacy Shield-compliant, make sure you stay certified. (A Privacy Shield 2.0 is in the works and should be validated by the EU.)