Standard Contractual Clauses (SCC) are no longer valid transfer mechanism due to Irish data privacy authority

The Wall Street Journal reported September 9th, 2020 on a preliminary order by the Irisch data privacy authority (Data Protection Commission, DPC) towards Facebook (FB) quoting Nick Clegg, Facebooks top policy and communications executive, saying that the regulator has informed Facebook that they can not use Standard Contractual Clauses (SCC) for transferring personal data from EU to USA.

This bold statement is something we all should take serious. It means that the SCC without supplementary measures can’t be used for transfers between EU and US.

It does not mean that SCC with supplementary measures can’t be used. The Court of Justice of European Union (CJEU) in its ruling on Privacy Shield (so called Schrems II judgement) has intensively stated that SCC are still a valid transfer mechanism and has indicated that supplementary measures might have to be taken.

To do:

  • Immediately start investigating where you have SCC in place and check countries of data importer and all sub processors
  • Contact data importer and task it with investigation in its local law as indicated by CJEU in Schrems II judgement
  • See for supplementary measures – see article down below for some ideas – and get them in place if needed due to local law at your data importer or its sub processor jurisdiction.

Accountability Framework by ICO

The UK ICO has published a „beta“ accountability framework, which is an excellent and broad start to check on your GDPR implementation!

You might use it to:

  • check on your GDPR implementation either in total or in regard to curtain aspects
  • demonstrate compliance towards business partners or authorities
  • use it as some sort of checklist

ICO has some more ideas what the framework can be used to.

The framework has 10 chapters:

  • Leadership and oversight
  • Policies and procedures
  • Training and awareness
  • Individual rights
  • Transparency
  • Records of processing and lawful basis
  • Contracts and data sharing
  • Risks and Data Protection Impact Assessment (DPIA)
  • Records management and security
  • Breach response and monitoring

Each of the chapters has different sub-chapters which are short, precise and mostly in form of bullet lists and three questions at the end to check yourself.

For example in transparency sub-chapter “Tools supporting transparency and control” the questions are:

  • “Would the public say that your policies are clear, easy to find and access?
  • Do they feel appropriately supported in accessing, determining and managing how their data is used?
  • Would children say the same?”

Now let’s think about the last three transparency documents you have written or read, the privacy policy or cookie banner of some websites. Do the hold up to these questions? I’d say no, and they don’t offer tools to manage the users personal data at all, especially after they have been clicking away that cookie banner big overlay window.

ICO says it is “beta” and open to comment. Yes, it is indeed, but it already is very far reaching and good. It does not mean that you do not need to think for yourself to the actual situation, but is already very powerful collection of topics to watch for.

Websites collecting laws, directives and regulations

There are two websites I do use regular to search for laws in Germany and in EU, which I can highly recommend:

German law:
This is in German language only, but the best source I know of. Very quick search engine, historical development per paragraph and so on. Very helpful.

If you need English wording:
Where’s a translation to English (by far not to all laws) there is an UK flag in one of the top rows to switch to the English wording of the respective law. The menus and everything else stays in German.

EU law:
Functionality similar to buzer but dedicated to EU law. Very helpful, too.

If you need other languages, there is always a link to EUR-LEX, the official website of EU directly to the directive or regulation to choose whichever EU language you might need.

Supplementary measures to Standard Contractual Clauses proposed by supervisory authority

The supervisory authority of Baden-Wuerttemberg, Germany has published a guideline with examples for supplementary measures to add to Standard Contractual Clauses (SCC). This applies to all data transfer from a country in European Union (EU) or European Economic Area (EEA) to a country outside EU / EEA – so called third country and is not limited to the transfer to USA. For example, it also applies to the transfer of personal data from EU to UK.

Requirements to use SCC for transfer of personal data to USA and countries with similar laws:

  • Encryption
    • Only data exporter in EU shall have the key, and
    • encryption in a way which can’t be broken by US authorities, or
  • Anonymization or pseudomization where only the data exporter in EU can link the data to an individual.
  • Additionally, you might add clauses to your contract that
    • data shall only be hosted where GDPR applies (see Art. 3 section 2 GDPR, this can be more than EU and EEA, but essentially, they are saying: keep it in EU / EEA) and
    • that there is no data transfer to USA.

USA and SCC: the authority is of the opinion that the SCC can only be used for transfer to US in seldom cases due to the criteria set by the Court of Justice of European Union (CJEU).

The same will apply to export of personal data to all other countries in the world where the individuals do not have similar rights as in EU in regard to data privacy or – probably easier to test – which have similar laws for authorities in place as US has.

They propose to use additional wording in SCC as follows:
▪ Clause 4.(f): change this clause that it applies to all data transfer not only for special categories of personal data
▪ Clause 5.(d).(i): change this clause in a way which obligates the data importer not only to inform the data exporter but also the individual about any actions by authorities to disclose personal data; if this is prohibited by law, the data exporter shall get in contact with its supervisory authority.
⁃ Comment: this must be interpreted as the data importer needs to contact the supervisory authority of the data exporter in such case, as the data importer normally is legally prohibited to inform the data exporter. It would be needed to investigate if the data importer (in a country outside EU) is allowed to inform a supervisory authority in EU and therefore in another country – which is doubtful.
▪ Clause 5.(d): add wording to that clause, that the data importer will challenge any request by authorities to access personal data, not granting access to such data until last instance court decision.
▪ Clause 7.(1): delete subsection (a) and only stay with subsection (b).
▪ Always include the liability clause given in Appendix 2 of the SCC.

Art. 49 GDPR
One of the possible solutions is to use the safeguards in Art. 49 GDPR. The authority says that these can only be used in limited cases. It is an exception clause and can only be used for occasional transfer (see recital 111 GDPR). Section 1 sentence 2 is even narrower than Art. 49 section 1 sentence 1.a) to g) GDPR.
Essentially, they are saying: do not base your regular data transfer to a third country on Art. 49 GDPR, only use it for occasional data transfers.

Comment: That’s a very interesting statement by the authority. One could also read recital 111 sentence one GDPR, where it is said „where the transfer is occasional and necessary in relation to a contract or a legal claim …“ is separate from the beginning of that same sentence dealing with consent. Therefore Art. 49.(1).(a) GDPR dealing with consent is not affected by „occasional“ and can be used. The words „occasional and necessary“ in recital 111 GDPR only apply to Art. 49.(1).(b), (c) and (e) GDPR.

That Art. 49.(1) sentence 2 GDPR is limited is given by its wording, e.g. „Where a transfer could not be based on…“ and „… not repetitive, concerns only a limited number of data subject…“.

The supervisory authority only mentions BCR in a sub-clause but indicates that they can be used instead of other transfer safeguards. They do not (!) say, that BCR have the same issues as SCC have. Most of the data privacy experts in Germany do think that the wording in the Schrems II ruling of the CJEU is quite clear, where it is said that contracts can’t overpower national law. This is also valid for internal code of conducts, like BCR, and therefore it seems that BCR need to be adopted in the same way as SCC.