Personal data transfers abroad: where do we stand?

Among the topics discussed, one of the main ones was that of transfers abroad of personal data: as is well known, following the invalidation of the Privacy Shield by the Court of Justice, the guarantee for transfers to the United States came to an end, and since then, despite several attempts to reach an agreement with the US government, data controllers have been obliged to treat that country in the same way as all those without an adequacy decision by the Commission. 

As a result of the Schrems judgments, with reference to all countries without an adequacy decision, data controllers had to assess not only the level of accountability offered by the third parties involved in the processing operations, but also the level of personal data protection offered by the data importers (by carrying out Data Transfer Impact Assessments).

 

The topic addressed during the G7 was even broader: in fact, it was discussed not only about the US but more generally about issues related to the secure and trustworthy processing of personal data across borders, in the context of an increasingly digitised and global society, the 'Data Free Flow with Trust' (DFFT), proposed in 2019 by the then Japanese Prime Minister Shinzo Abe. Last May, in fact, the G7 Digital Ministers adopted an action plan to promote DFFT, which set the framework there. What the authorities are aiming for is a balancing of interests as the digital economy and the protection of citizens' individual rights. 

While the DPAs confront each other, however, it should not be forgotten that in June 2021, the European Commission adopted Implementing Decision (EU) No. 2021/914, which repealed Decisions 2001/497/EC and 2010/87/EU on Standard Contractual Clauses for international data transfers as of 27 September 2021. 

As of 27 September 2021, therefore, all new contracts must already be accompanied by the new SCCs, if they involve non-EU data transfers. But that's not all, as contracts concluded before that date will also have to be brought into line with the update at some point: the European Commission has granted a grace period until 27 December 2022 for contracts concluded before 27 September 2021, provided that the processing operations covered by the contracts have remained unchanged and that the use of such clauses ensures that the transfer of personal data is subject to adequate safeguards. 

Do data controllers have taken steps of the process for adapting contracts that involve a transfer abroad? This involves mapping all suppliers/partners who process personal data outside the EU or outside the European Economic Area, verifying that all new suppliers/partners - who transfer data - contracted from 27 September 2021 onwards have signed up to the new SCCs, update the transfer assessment checklists ("DTIAs") already in place and send the new DTIAs to the transferring suppliers, assigning a strict deadline to the supplier/partner for feedback, then send the updated and completed SCCs (according to the specific form) to the mapped suppliers/partners who perform data transfers - and who have or have not returned the completed DTIA. All this must be done by 27 December 2022.

The issue of transfers, which is already topical in itself in view of the deadline, has become a trend in Italy as a result of the DPA’s decision of 9 June on the Google Analytics cookie: on the occasion of this decision, the DPA stated that the installation of this cookie entails a transfer to the United States that should absolutely be avoided, considering that, when assessing it, Google is not able to guarantee technical and organisational measures that are adequate to a level of data protection equivalent to the European one. Data controllers are therefore partly obliged to speed up their processes of compliance with the new SCC (if any), at least with regard to the provider Google, and then proceed with particular caution also with regard to the other providers established in the US.

Violation of the transfer regulations, as referred to in Article 44 ff. of the GDPR, is subject to administrative fines of up to Euro 20,000,000, or for companies, up to 4 per cent of the total annual worldwide turnover of the previous year, whichever is higher. In addition to this, data protection compliance is taking on the value of a fundamental requirement for the participation and award of public and private tenders, with all the related consequences for data controllers.