New regulations for international data transfer

Published on 8 November 2022

The “old” standard contractual clauses for international data transfers (especially USA) will no longer be valid from the end of December 2022. If you or your company transfer personal data to third countries, these third country transfers must be reviewed by 27 December 2022. Act before the deadline to avoid penalties! 

Legal background
The standard contractual clauses (“SCCs”) represent one of several possible transfer mechanisms for transferring personal data to third countries with data protection levels lower than the European Union. Because the old SCCs no longer provide sufficient protection – especially against the background of the ECJ’s “Schrems II decision” and the repeal of the Privacy Shield – the EU Commission adopted “new SCCs” in June 2021.
 
The implementation deadline for the new SCCs expires on 27 December 2022, after which you or your company can only use the new SCCs, or you will have to adapt any agreement already concluded for third-country transfers to meet the new requirements.
 
Impending measures and penalties
Sending personal data to third countries on the basis of the old SCCs or continuing to use them without adapting them to the new requirements constitutes a breach of the General Data Protection Regulation (“GDPR”), which is punishable by a fine of up to EUR 20 million or 4 percent of the annual worldwide turnover of the previous business year (cf. Art. 83(5)(c) GDPR).
 
After the deadline expires, enforcement measures by the Data Protection Authority are possible. The Data Protection Authority was particularly strict in the case of unlawful third-country transfers in the “Google Analytics decisions”. Associations, such as NOYB, are also expected to initiate a new wave of complaints (as has already happened in connection with cookies) in order to enforce compliance with the new regulations. Moreover, the Association for Consumer Information (VKI) is also legitimised to assert certain data violations in the case of third-country transfers. 
 
What you should do next:

1. To avoid penalties, we recommend that data transfers to unsafe third countries are checked as follows:
2. Check on which legal basis and to which contractual partners personal data is transferred to third countries.
3. The new SCCs are based on four different modules: find out which of the SCC modules relates to your third country transfers.
4. Conduct the risk and impact assessment (known as Transfer Impact Assessment, TIA) in accordance with the new SCCs for the respective third country transfers with the support of the contractual partners.
5. Set security measures appropriate to the risks evaluated.
6. Document your findings and set a date for the next evaluation with the contractors. The new SCCs are not a “fire-and-forget” solution, but need to be adapted according to the legal risks and changes in the unsafe third countries (e.g. if adequacy decisions concerning third countries are repealed – as happened with the USA – or certain national laws are enacted in third countries, etc.).

 
For questions and support when adapting your third-country transfers to meet the new legal requirements, please contact Christina Maria Schwaiger, CIPP/E, CIPM, and Johannes Juranek, Managing Partner and Head of the Technology, Media and Communications Department.