A big GDPR deadline is looming in December 2022 which may affect your law firm — even if it is based in the U.S.
On December 27, 2022, all existing contracts governed by the General Data Protection Regulation (GDPR) must use the updated Standard Contractual Clauses (SCCs) issued by the European Commission.
While the GDPR is a European Union (EU) regulatory scheme, it can affect entities and individuals outside the EU under certain circumstances.
If the GDPR affects your firm, you should understand exactly what will happen in December and how you can prepare.
Does the GDPR apply to your firm?
The GDPR is a legal framework governing the collection and processing of personal information from individuals living in the EU. Adopted in 2016 and put into effect in 2018, the GDPR is intended to give consumers the right to control their data.
Notably, it applies to companies based outside of the EU which offer products or services to EU customers.
So, how can a law firm collect personal data that is subject to the GDPR?
If the firm has employees in the EU, any human resource data about those employees would most likely be covered by the GDPR. Data about the firm’s clients could be subject to GDPR if (1) the client is located in Europe or (2) if the data is processed out of a firm’s satellite office in Europe. The same guidelines would apply to data received from clients to be used in the firm’s representation.
Failure to comply with the GDPR can be costly.
Over 900 GDPR fines have been issued in the European Economic Area and the U.K. (before the U.K. left the EU with “Brexit”). Total GDPR fines reached over one billion dollars in just the third quarter of 2021.
Many well-known companies have been fined, such as Amazon and Facebook, with the Amazon fine of $877 million being the largest ever.
What happens in December 2022?
The updated Standard Contractual Clauses (SCCs) were issued by the European Commission on June 4, 2021.
Beginning on September 27, 2021, all new contracts were required to contain the updated SCCs. After December 27, 2022, all existing contracts will also have to include the updated SCCs.
SCCs are model contract clauses that have been pre-approved by the European Commission for use in contracts. The June 2021 update of the SCCs was prompted by the July 2020 decision, handed down by the Court of Justice of the European Union, commonly referred to as “Schrems II.”
Schrems II impacts how companies transfer personal data outside the EU. Specifically, the decision requires businesses to assess country and transfer risks before transferring data from the EU to non-EU countries that fail to offer an adequate level of data protection under the GDPR.
Based on Schrems II, the updated SCCs include language to keep contracts compliant with regard to data transfers outside the EU.
They include two sets of model clauses, with one set applicable to international transfers of data out of the EU, and the other applicable to data transfers within the EU.
The updated SCCs also include other innovations to keep contracts in line with the GDPR.
How can your firm prepare for the December deadline?
Your firm will need to take a number of steps to comply with the December GDPR deadline.
Any existing contracts subject to the GDPR will need to be updated to include the new SCCs.
The process of updating contracts, commonly known as “repapering,” should be started well ahead of the December 27 deadline.
While your firm will need to take these steps for its own contracts, it is possible you will also be called on to advise your clients on these required contract updates.
The SCCs apply to two different categories of entities that handle personal information, known as “controllers” and “processors.” There is some debate as to whether law firms act as data controllers or data processors, and the distinction will likely change with different factual scenarios.
Regardless of which category they fall under, firms should act as quickly as possible to not only ensure their own contracts are updated, but also that any contractors that work with the firm are also in GDPR compliance.
Firms may have different options for dealing with the updated SCCs, such as incorporating the new SCCs into existing contracts by reference. If your firm does not have expertise in GDPR compliance, it is likely advisable to seek outside legal advice.
If your firm is affected by the GDPR, keep the December deadline in mind and do not delay in ensuring compliance.