Abstract

The text answers the question whether contractual solutions (and other “soft” or “semi-soft” regulation methods, such as self-regulation and co-regulation measures) can help address the issues arising in the area of personal data protection as a result of CJEU’s Schrems II judgment of 16 July 2020.Following the CJEU judgment, fundamental doubts have arisen regarding the transfer of personal data to third countries based on standard contractual clauses issued under Directive 95/46 which is no longer valid. The European Commission tried to dispel these doubts by issuing a new set of standard contractual clauses (on 4 June 2021, i.e. on the anniversary of the Schrems II judgment). On the one hand, one should recognise and appreciate their modern, modular form, allowing for the content of the contract to be tailored to the needs of the parties to a legal relationship; a much broader list of factual situations in which the standard clauses will apply; and the parties’ risk-based liability under representations and warranties that are known to us from commercial and M&A transactions. On the other hand, one cannot fail to notice, for instance, that the burden of making a comprehensive TIA (transfer impact assessment) has been shifted onto the parties to a legal relationship. This includes assessment of the democratic society model and limitations resulting from the interaction between the standard contractual clauses developed by the European Commission and regulations in force in third countries, e.g. those granting the intelligence services of these countries the right to access data originating from the EU. Therefore, the assessment of the standard contractual clauses cannot be exclusively positive, although it is to be welcomed that regulators are seeking alternative solutions to regulate global transfers of personal data and the potential that such solutions have for the development of a global system for the protection of personal data must be appreciated.