C-Suite Advisory

Forgotten revolution which may impact transatlantic relations

According to the famous EU data protection regulation (GDPR), the transfer of personal data from the UE to third countries (such as the USA, Russia, India, or China – nice bunch, isn’t it?) is subject to additional safeguards to ensure that our (“European”) data are secure abroad at a level acceptable under GDPR. 

Usually, such additional safeguards are proved by contractual instruments, namely by signing a set of Standard Contractual Clauses (SCC) drafted by the EU Commission. The idea was simple: once the appropriate set of the SCC was signed, data transfer from the UE to the third country was deemed legal. Looks simple and brilliant. 

But, in June 2021, the EU Commission set out a brand new set of Standard Contractual Clauses. These are gradually replacing the “old” (i.e. existing) SCC. 

What has changed? The modular structure of the SCC has been retained (the parties select the relevant provisions by customizing the content of the contract) as has the principle of warranty liability (the SCC includes Reps & Warranties well-known from M&A transactions). A new feature is the introduction of a docking clause (allowing flexible accession to the SCC) and particularly the widening of the range of situations in which the new SCC applies. From now on the new SCC cover variety of situations, which is great. Still, not all situations are covered, which is bad. 

To make things even worse, in order to comply with new regulations, there is now a requirement to carry out a documented Transfer Impact Assessment (TIA). A TIA involves a multi-faceted assessment of the circumstances of the data transfer, data protection law and practice applicable in the third country, etc. If doubts arise as to the level of data security in a third country, additional measures (IT, organizational, legal, you name it) have to be taken. 

All these quite vague procedures are to be followed by the entities transferring data. These entities – usually private entrepreneurs and their directors – will bear negative consequences in case of negligence or a mere mistake, including responsibility for illegal data transfers.

But it is not all. According to the new law, all existing SCC must be replaced by the new ones (after the TIA procedure and application of the relevant additional measures) by 27 December 2022. 

In many cases steps should be taken right now, as the organizational challenges of carrying out a significant number of TIAs and implementing (meaning: negotiating) new SCC could be a task comparable to the implementation of the GDPR in 2018.

Being the EU data protection lawyer I already learned, that many multinational organizations are bound by dozens of thousands (yes, thousands!) of the “old” SCC. And they all must be replaced by the new ones in less than a year. Considering legal risks, potential negotiations, and contracts customization, replacing this number of contracts is an ambitious task. Simultaneously, many (majority!) of international organizations operating both in the EU and the USA, China, Russia, or India will have to face this challenge really soon. 

Interestingly, not many international entrepreneurs seem to be aware of this challenge. If they want to stay compliant, they have to act now and contact their European legal advisor.


Written by Dr. Bartosz Marcinkowski, a certified legal counsel, DZP Partner (the largest independent law firm in Poland), head of DZP Data Protection Team. He is a member of the International Bar Association (IBA) and European Leadership Group at Meritas Law Firms Worldwide, as well as head of Meritas Data Protection Practice Group.

Have you read?

Best CEOs In the World Of 2022.
Best Citizenship and Residency by Investment Programs.
These are the world’s most and least powerful passports, 2022.
The World’s Richest People (Top 100 Billionaires, 2022).
# Case Study: Warren BuffettLVMH’s Bernard ArnaultApple’s Tim Cook, and Elon Musk.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Thank you for supporting our journalism. Subscribe here.
For media queries, please contact: info@ceoworld.biz
Dr. Bartosz Marcinkowski

Dr. Bartosz Marcinkowski

Partner, Corporate and M&A Practice at Domański Zakrzewski Palinka (DZP)
Having started 20+ years ago with EY Law, Dr. Bartosz Marcinkowski is a Partner at DZP, the biggest independent law firm in Poland (Andersen and EY spin-off). Businesswise he specializes in international M&A and Data Privacy, focusing on Polish, British, American, Nordic, and Israeli markets. In academic activities, Bartosz cooperates, among others, with the Catholic University of America (Washington D.C.), publishing papers and articles in international journals. Ph.D. holder (EU-USA data privacy legal standards); member of the International Bar Association (IBA) as well as of the European Leadership Group at 'Meritas' Law Firms Worldwide, where he also is the head of Data Protection Practice Group. On a daily basis, I head a team of 20-professionals in 4 locations, incl. Warsaw and London. Dr. Bartosz Marcinkowski is an opinion columnist for the CEOWORLD magazine. Follow him on LinkedIn.