The Wall Street Journal reported September 9th, 2020 on a preliminary order by the Irisch data privacy authority (Data Protection Commission, DPC) towards Facebook (FB) quoting Nick Clegg, Facebooks top policy and communications executive, saying that the regulator has informed Facebook that they can not use Standard Contractual Clauses (SCC) for transferring personal data from EU to USA.
This bold statement is something we all should take serious. It means that the SCC without supplementary measures can’t be used for transfers between EU and US.
It does not mean that SCC with supplementary measures can’t be used. The Court of Justice of European Union (CJEU) in its ruling on Privacy Shield (so called Schrems II judgement) has intensively stated that SCC are still a valid transfer mechanism and has indicated that supplementary measures might have to be taken.
To do:
- Immediately start investigating where you have SCC in place and check countries of data importer and all sub processors
- Contact data importer and task it with investigation in its local law as indicated by CJEU in Schrems II judgement
- See for supplementary measures – see article down below for some ideas – and get them in place if needed due to local law at your data importer or its sub processor jurisdiction.