The supervisory authority of Baden-Wuerttemberg, Germany has published a guideline with examples for supplementary measures to add to Standard Contractual Clauses (SCC). This applies to all data transfer from a country in European Union (EU) or European Economic Area (EEA) to a country outside EU / EEA – so called third country and is not limited to the transfer to USA. For example, it also applies to the transfer of personal data from EU to UK.
Requirements to use SCC for transfer of personal data to USA and countries with similar laws:
- Only data exporter in EU shall have the key, and
- encryption in a way which can’t be broken by US authorities, or
- Anonymization or pseudomization where only the data exporter in EU can link the data to an individual.
- Additionally, you might add clauses to your contract that
- data shall only be hosted where GDPR applies (see Art. 3 section 2 GDPR, this can be more than EU and EEA, but essentially, they are saying: keep it in EU / EEA) and
- that there is no data transfer to USA.
USA and SCC: the authority is of the opinion that the SCC can only be used for transfer to US in seldom cases due to the criteria set by the Court of Justice of European Union (CJEU).
The same will apply to export of personal data to all other countries in the world where the individuals do not have similar rights as in EU in regard to data privacy or – probably easier to test – which have similar laws for authorities in place as US has.
They propose to use additional wording in SCC as follows:
▪ Clause 4.(f): change this clause that it applies to all data transfer not only for special categories of personal data
▪ Clause 5.(d).(i): change this clause in a way which obligates the data importer not only to inform the data exporter but also the individual about any actions by authorities to disclose personal data; if this is prohibited by law, the data exporter shall get in contact with its supervisory authority.
⁃ Comment: this must be interpreted as the data importer needs to contact the supervisory authority of the data exporter in such case, as the data importer normally is legally prohibited to inform the data exporter. It would be needed to investigate if the data importer (in a country outside EU) is allowed to inform a supervisory authority in EU and therefore in another country – which is doubtful.
▪ Clause 5.(d): add wording to that clause, that the data importer will challenge any request by authorities to access personal data, not granting access to such data until last instance court decision.
▪ Clause 7.(1): delete subsection (a) and only stay with subsection (b).
▪ Always include the liability clause given in Appendix 2 of the SCC.
Art. 49 GDPR
One of the possible solutions is to use the safeguards in Art. 49 GDPR. The authority says that these can only be used in limited cases. It is an exception clause and can only be used for occasional transfer (see recital 111 GDPR). Section 1 sentence 2 is even narrower than Art. 49 section 1 sentence 1.a) to g) GDPR.
Essentially, they are saying: do not base your regular data transfer to a third country on Art. 49 GDPR, only use it for occasional data transfers.
Comment: That’s a very interesting statement by the authority. One could also read recital 111 sentence one GDPR, where it is said „where the transfer is occasional and necessary in relation to a contract or a legal claim …“ is separate from the beginning of that same sentence dealing with consent. Therefore Art. 49.(1).(a) GDPR dealing with consent is not affected by „occasional“ and can be used. The words „occasional and necessary“ in recital 111 GDPR only apply to Art. 49.(1).(b), (c) and (e) GDPR.
That Art. 49.(1) sentence 2 GDPR is limited is given by its wording, e.g. „Where a transfer could not be based on…“ and „… not repetitive, concerns only a limited number of data subject…“.
The supervisory authority only mentions BCR in a sub-clause but indicates that they can be used instead of other transfer safeguards. They do not (!) say, that BCR have the same issues as SCC have. Most of the data privacy experts in Germany do think that the wording in the Schrems II ruling of the CJEU is quite clear, where it is said that contracts can’t overpower national law. This is also valid for internal code of conducts, like BCR, and therefore it seems that BCR need to be adopted in the same way as SCC.