The transmission of information for online communications, tracking of global supply chains, research sharing, and the provision of cross-border services will continue to be more and more critical in the global economy.
'Schrems II' Decision reminded us that the protection granted to personal data in the EEA must travel with the data wherever it goes. It will continue to affect transfers of personal data to third countries in 2022.
Organisations must ensure that a transfer impact assessment is carried out and that international data transfers only occur when in compliance with the GDPR, applicable EU courts' decisions and supervisory orientations. This has been one of the focal points of the data protection authorities, with several ongoing investigations, including orders to suspend data transfers immediately.
Pursuant to the EC Implementing Decision of June 4 2021, on standard contractual clauses (SCCs) for the transfer of personal data to third countries (outside the EEA), companies have until December 27 2022, to replace their current sets of SCCs.
Regarding Trans-Atlantic data flows, there are growing talks and news of a trans-Atlantic data accord to replace the cancelled Privacy Shield agreement.
Challenges:
- More than ever, organisations must ensure the adoption of actions that guarantee a comprehensive view of all international data transfers so that they can evaluate the possibility to continue with such transfers in a lawful and legitimate, avoiding significant business impacts.
Actions:
- Conduct transfer risk and impact assessments (TRA/TIA) adopt adequate, appropriate safeguards (e.g. new SCCs) and supplementary measures to ensure lawful data transfers.