The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021. As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.
Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.
Other Recent Developments
Executive order to Implement EU-U.S. Data Privacy Framework
On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under a new EU-U.S. Data Privacy Framework. The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is intended to address the concerns raised by the Court of Justice of the EU in its Schrems II judgment on July 16, 2020, which annulled the prior EU-U.S. Privacy Shield.
The European Commission is now assessing the Executive Order. Assuming the assessment is positive, which is widely expected, the Commission will prepare a draft adequacy decision pursuant to Article 45 of GDPR. The European Commission is also expected to confer with the EDPB, and EU Member States must approve it. The formal adoption process is expected to take around six months, and could result in the final adequacy decision’s publication before the Summer of 2023.
Once adopted, privacy advocacy groups are expected the challenge the new Framework – some already have issued statements opining that the new Executive Order is insufficient. Similarly, the German Supervisory Authority of Baden Wuerttemberg issued a statement expressing its concerns about deficiencies of the Executive Order. The Italian Supervisory Authority also issued a statement on the Executive Order identifying the Order’s pros and cons.
Other Standard Contractual Clauses for non-EU Controllers Subject to The GDPR
The European Commission is, in parallel, working on standard contractual clauses for international data transfers to controllers and processors established outside of the EU that are subject to the GDPR. This includes, for example, controllers outside of the EU that target goods or services to individuals residing in the EU. The European Commission is drafting these new clauses because the existing new standard contractual clauses, adopted on June 4, 2021, are meant to be used only for transfers of personal data to controllers and processors outside of the EU that are not subject to the GDPR.
The Covington team will keep monitoring any developments on international data transfers and continue to report on them on our blog Inside Privacy.