Why SCCs may not be enough to cover international data transfers

A German publishing company has become the first organisation to face enforcement action for its use of SCCs (standard contractual clauses) following the demise of the EU–US Privacy Shield.

The BayLDA (Bavarian Data Protection Authority) ruled that the publisher failed to provide appropriate safeguards when transferring personal data outside the EU.

This is despite the fact that it used SCCs for a routine data transfer: it was sharing email addresses with the US marketing automation platform Mailchimp.

Many people speculated that SCCs alone would be a sufficient alternative to the Privacy Shield, but the BayLDA’s decision demonstrates that serious issues remain.

What went wrong?

When assessing the level of protections involved in data transfers, organisations must take account of the wording of the SCC and the legal system of the country where the data is being transferred.

The BayLDA determined that Mailchimp may qualify as an “electronic communication service provider” under FISA 702. This is a US law regulating foreign intelligence surveillance, and gives the US government the right to access information that’s shared with US organisations.

However, EU laws prohibit this; it’s the reason that the Privacy Shield and its predecessor, Safe Harbor, were repealed.

To avoid this problem, data exporters and data importers are required to adopt supplementary measures to ensure that the information is protected from US surveillance.

The EDPB (European Data Protection Board) has published a list of measures that may be suitable, which include:

  • A commitment to transparency;
  • Enhanced audits to verify whether personal data has been provided to government authorities;
  • Contractual commitments to challenge government access to data in court prior to disclosing it; and
  • Commitments to enable data subject rights.

The guidance also includes technical and organisational measures, such as encryption and internal policies. However, although these are useful for addressing security weaknesses, they don’t protect organisations from US surveillance.

Are your SCCs sufficient?

The BayLDA’s ruling complicates an issue that already had data protection officers unsure of exactly how to manage data transfers.

Fortunately for the organisation in question, it escaped a fine because it had only transferred personal data to Mailchimp twice and agreed to stop using its service. However, it’s unlikely that other organisations will be afforded the same leniency.

For any organisation transferring personal data to a third country – particularly the US – it’s therefore essential to review your use of SCCs. If you fail to do so, you may well be subject to enforcement action and a hefty fine.

If you’re unsure how to get started, GRCI Law is here to help. With our GDPR Contract and Legal Services, you can receive legal and compliance support from our experts.

Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with the supervisory authorities.