Post-Schrems: an end to the Standard Contractual Clauses

Blog

Post-Schrems: an end to the Standard Contractual Clauses?

Considering alternatives for international transfers of personal data

The validity of SCCs hangs on the balance with the Schrems-ruling expected in 2020. Whatever the outcome, your organization may already be reconsidering its options for international data transfers. Which factors should be taken into consideration when seeking alternatives? This blog explores alternative mechanisms if indeed the good old SCCs will be declared invalid.

Marloes Dankert & Diderik Bierens de Haan - 21 August 2019

Large amounts of personal data are sent across the globe every second, every day. These transfers of personal data to third countries or international organizations (“international transfers”) are regulated by the GDPR, which allows international transfers only under specific conditions (“mechanisms”). These mechanisms therefore have great impact on many organizations. Recent developments however may cause legal uncertainty regarding the validity of one of the key mechanisms: the standard contractual clauses under article 46(2)(c) GDPR (“SCC”). A ruling by the Court of Justice of the EU, expected in 2020, could drastically change the foundation under the go-to solution for many organizations.

The reason for the CJEU to hear this case is the notorious “privacy-battle” between Max Schrems and Facebook. Schrems, an Austrian privacy-advocate, challenges the SCCs clauses as “appropriate safeguards” for international transfers. Invalidation by the court would lead to great legal uncertainty. The million dollar question therefore is: what can organizations do to prepare?

Visual overview of different mechanisms for international transfers

Legal background

International transfers are regulated by Chapter V (articles 44 to 50) of the GDPR. The main rule is that international transfers may only take place if they meet the requirements of one of the mechanisms in the GDPR. First, the adequacy-decision (article 45): the EC can decide that the third country in question ensures an adequate level of protection (the so-called “whitelist”). Second, if the controller or processor has provided appropriate safeguards (article 46). Possible safeguards include binding corporate rules or standard contractual clauses (provided by the EC or by national supervisory authorities). Third, derogations for specific situations (article 49) may allow for international transfers.

Schrems vs Facebook

Schrems has been involved in a privacy-dispute with Facebook for many years. The current case concerns Schrems’ accusation that Facebook sends his personal data from Ireland to the US which leads to a violation of his data protection rights and his rights under the Charter of fundamental rights of the EU. He claims that when Facebook processes his data in the US, national security agencies (e.g. FBI, NSA) may access his data. He allegedly would have no effective remedy to stop this. Schrems has initiated legal action against Facebook (not to send his personal data to the US) and the DPC (to force Facebook to stop transferring his personal data). The Irish court has decided to make reference to the CJEU for a preliminary ruling on the validity of the SCCs.

Next steps

The CJEU could invalidate the SCCs if it rules they do not provide appropriate safeguards to protect the rights of EU data subjects. As a result, the transfer mechanism of SCCs could no longer be used. This would have major impact, since a large number of organizations depend on SCCs for international transfers.

Which alternatives do organizations have to transfer personal data to third countries? The answer will very much depend on the specific circumstances, e.g. the type of organization, the nature of the transfer and of the personal data, and other contextual elements. We have drafted a general overview of the available mechanisms with the following pros and cons below.

Deloitte is currently in the process of acquiring an overview of best practices: which alternatives would be suitable for organizations, and which mechanism are considered best practices by our global network? Stay tuned if you are interested to learn the outcome of our survey!

More information on International transfers of personal data or Standard Contractual Clauses

Do you want to know more on International transfers of personal data or Standard Contractual Clauses? Please contact Marloes Dankert at +31 (0)88 288 7437.

Did you find this useful?