The Beginner's Guide to Standard Contractual Clauses (SCCs)

The Schrems II ruling has shaken things up in the world of data protection since the Court of Justice of the European Union  (CJEU) handed it down in 2020. 

Until the ruling, the so-called Privacy Shield agreement applied. It enabled the free exchange of data between the EU and the USA. The CJEU invalidated it without replacement. 

All of a sudden, it became far more difficult to transfer personal data to the US in a legally compliant manner – and that is almost always necessary when using US-based marketing and analytics tools, such as Google Analytics. 

In truth, since the ruling, most European and American companies have been operating on very thin legal ice. 

So what to do? Fortunately, the General Data Protection Regulation has a solution ready for such cases. It’s called Standard Contractual Clauses (SCC).

OK, what are Standard Contractual Clauses?

Standard Contractual Clauses become necessary when there is no data protection agreement with a third country in place, as is currently the case with the US. 

As an alternative to an agreement, the EU Commission can also decide that the level of data protection in the country in question is adequate. If there is no so-called adequacy decision for a country, Standard Contractual Clauses also become necessary. Here you can find the list of countries the EU Commission certified as adequate in regard to data protection.

SCCs are contract templates that have been explicitly approved by the EU Commission to ensure that personal data is adequately protected in the third country. These contracts are agreed upon by both the data exporter (e.g. company in the EU) – and the data importer (e.g. the provider of a tool based in the USA). 

They act as a kind of quality seal: the data exporter must ensure that SCCs are put in place. The data importer in the third country (e.g. Google, Facebook, etc.) in turn guarantees to ensure EU-level data protection. 

So instead of a large data protection agreement between two countries, companies simply conclude small agreements among themselves. This way, personal data can be transferred to a third country in a legally compliant manner. 

So all is well? Not at all. Unfortunately, in the case of the USA, there is a not-insignificant problem. 

Why are transfers to the USA a problem despite SCCs?

To understand why standard contractual clauses are unlikely to be sufficient for transfers to the US, we need to make a small digression into politics. 

The CJEU overturned Privacy Shield mainly because US intelligence agencies have broad access to the personal data of EU citizens, a consequence of the drastic surveillance measures after 9/11. This was confirmed, among other things, by the Snowden revelations. 

At the same time, the CJEU found the control of intelligence services in data protection matters as well as the rights of EU citizens in data protection matters seriously lacking. Reason enough for the court to invalidate the entire agreement. 

And therein lies the pitfall. 

In the case of the US, the fundamental problem of intelligence surveillance has not changed since the CJEU ruling. An intelligence agency can still access EU data even against the will of a US company. And EU citizens have hardly any rights to objection or information. 

Transfers of personal data to the US, therefore, remain problematic despite standard SCCs. 

So why enter into standard contractual clauses with US companies at all?

For the simple reason that the GDPR requires it. They are a necessary step on the way to legally compliant data transfers. 

On the one hand, SCCs increase the security of the personal data transferred, but on the other hand, they also create certain obligations for the parties. 

One of these obligations is the so-called Transfer Impact Assessment (TIA). In this mandatory step, the parties must assess whether the data importer can guarantee a sufficient level of data protection in the destination country – after the CJEUs Schrems II decision, this must almost certainly be negated in the case of US providers.

Under the TIA, the contracting parties must take “supplementary measures” if the data protection levels are not sufficient. This brings us to the next point. 

Is there even a way to legally send personal data to the US?

Encryption of data could qualify as a supplementary measure to prevent access by intelligence agencies. But most services in the marketing and analytics space will not work with encrypted data. 

Another measure recommended by the European Data Protection Board as well as several data protection authorities is the pseudonymization of data. 

The French data protection authority CNIL has elaborated on the advantages of pseudonymization using Google Analytics as an example. The Danish data protection authority Datasylnet followed these recommendations. 

We already explained the principle of pseudonymization in more detail here.

Better safe than sorry

In any case, the following applies to transfers to US companies: Standard Contractual Clauses must be concluded and up-to-date, whether supplementary measures have been taken or not. The EU data protection authorities are definitely paying attention to this.

And the next deadline is December 27, 2022: By then, organisations must have converted all SCCs to the new templates presented by the EU Commission in 2021. 

So it’s high time to check with all your third-country contractual partners whether these latest SCCs are in place. We’ve created a guide for you here that explains the process step by step. 

Wait, isn’t there a new data protection agreement coming soon between the EU and the US?

Yes, US President Joe Biden has put forward a blueprint for a new agreement in October 2022. However, there has been harsh criticism of the draft on the part of data protection activists. There is doubt that the new framework will meet the requirements of the CJEU in the Schrems II ruling. 

The agreement could come into force in the first quarter of 2023. Whether it will stick is more than questionable. The Austrian data protection activist Max Schrems, who has already gone to the CJEU twice, has already announced that he will challenge the new framework in court.