New Standard Contractual Clauses for AI systems

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
October 20, 2023

We’re back with the privacy news:

  1. New Standard Contractual Clauses?! Yes, but this time it’s for AI systems.
  2. Privacy monetization by Big Tech - according to Meta’s pitch, European users would have the option to pay a fee or agree to personalized ads.
  3. The EU-U.S. Data Privacy Framework survives the first legal challenge, but it’s just an interim relief.

1. AI SCCs - new clauses to be considered in the procurement of AI

On October 5, 2023, the European Commission published Standard Contractual Clauses for the Procurement of AI systems (AI SCCs). The new AI SCCs are aligned with the requirements of the upcoming European AI Act and dedicated to support public organizations.

The AI SCCs are not mandatory (yet) and are developed for the public sector’s pilot use with the aim to establish responsibilities for trustworthy, transparent, and accountable development of AI technologies.

In addition to a full version of the AI SCCs, a light version of the clauses has also been developed. It’s for non-high-risk AI systems.

More details on the AI SCCs, including the link to the clauses itself, can be found here.

What does it mean for you?

Although the AI SCCs are not mandatory, they include a number of clauses that could be relevant for companies purchasing AI systems. So it may be worth incorporating them in the procurement of AI systems, to make sure you have done your due diligence before the AI Act kicks in.

By now, you are probably well aware of the GDPR SCCs, which serve as a data transfer tool. While AI SCCs share some similarities, they are specific to AI systems and do not comprise a full contractual arrangement, i.e. they can only be attached as a schedule. AI SCCs also don’t cover any of the GDPR requirements.

This means that in situations where the procurement of an AI system involves transfer of personal data outside the EU, a combination of both GDPR SCCs and AI SCCs might be necessary. Just another addition to your vendor contracting complexity!..

2. Privacy monetization - will Europeans have to pay for privacy?

Reportedly Meta is in talks with the data protection regulators to launch an ad-free subscription version of its service in the EU. Users who do not want to pay a fee of $14 per month to access Meta apps Facebook and Instagram would have to accept personalized ads.

Even if few people choose the paid version, making such an option available could serve Meta’s interests in the region, as they can continue to serve personalised ads for free users without asking for consent.

Would a choice of paying a fee or paying with your privacy breach the GDPR?

“Fundamental rights cannot be for sale,” said Max Schrems in his statement reacting to Meta’s pitch.

But it looks like the regulators are not as assertive. In the recent Grindr case, the Norwegian Data Protection Authority imposed a fine on the norwegian dating app of approximately € 6.5 million for not complying with the GDPR rules on consent and unlawfully sharing personal data with third parties for marketing purposes.

However, in the same decision it was noted that if Grindr had asked the users to choose between a paid version and a free version where the users would pay with their data, the consent would have been valid.

If this approach is justified, companies like Meta will continue to profit from people’s privacy. So it will be very interesting to see how it progresses.

Why does it matter?

Well, if you’re using Facebook ads and they can only reach the audience who refused to pay for their privacy rights, the service is not only less efficient, there’s also an ethical aspect to take into consideration.

3. Request to suspend EU-U.S. Data Privacy Framework was rejected

In our previous newsletter we mentioned that the EU-U.S. Data Privacy Framework (DPF) has already been challenged - French Member of European Parliament Philippe Latombe filed an application to suspend the DPF. However, last week the EU General Court rejected this request. The court said Latombe cannot prove serious harm and therefore an urgent need to suspend.

This is just an interim ruling. And, undoubtedly, there's more litigation against the DPF to come. However, until there's an EU court decision to the contrary, the EU-U.S. Data Privacy Framework is a valid legal mechanism to transfer data to the U.S. Judicial processes in the EU may take months or even years, so at least an interim relief at this point is appreciated.