Update In the Post-Schrems II Era and Guidance for the Use of Standard Contract Clauses

Written by: Richard Sheinis, Esq.

It has been almost two (2) months since the EU Court of Justice struck down the EU-US Privacy Shield.  At the same time, while holding that the Standard Contract Clauses (“SCC”) in principle are still valid, the Court cautioned that SCC must still provide the level of protection guaranteed by the GDPR.  Unfortunately, the Court did not provide guidance as to what needs to be done to the SCC so they satisfy GDPR standards.

The concern with the SCC is that they are not sufficient if authorities, such as intelligence agencies, can access personal data in a way that compromises the rights of the data subject.  We now have specific guidance on how to solve this problem, courtesy of the Commissioner for Data Protection and Freedom of Information for the German State of Baden – Württemberg (Landesbeauftragter für Datenschutz und Informations freiheit Baden – Württemberg, “LfDI BW”).

The guidance states that if the SCC cannot bind authorities in the country in which the data is received, the parties must have supplementary mechanisms in place to keep the data from the prying eyes of the US intelligence agencies and the like.  Such mechanisms include data encryption where only the data exporter has the key and US agencies cannot decrypt the data.  Another solution would be to anonymize or pseudonymize the data where only the data exporter can link the data to a subject.

The LfDI BW provided a checklist for data exporters to address cross-border data transfer:

  1. Identify where personal data is transferred outside the EEA.
  2. Contact the service provider/contract partner in the third country and inform them about the Schrems II decision and its consequences.
  3. Collect information on the legal system of the third country to which personal data is transferred.
  4. Check whether the third country is covered by an adequacy decision by the EU.
  5. Review whether SCCs can be used without additional measures. This is not the case if authorities of the third country can disproportionally interfere with data subject’s rights (e.g. mass retrieval of data without informing the data subjects and without procedural safeguards such as court order) and there is no effective legal protection with regard to such interference.
  6. Review whether personal data may be transferred to the third country based on SCCs in combination with supplementary measure (e.g. encryption, agreement that data will be hosted in a country where GDPR applies).

Keep in mind that this guidance is only from one authority.  We do not know if all supervisory authorities will agree, but at least it is a step in the right direction pending more definitive guidance from the European Data Protection Board.