Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG's opinion here.
The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.
Below, we take a look at the AG opinion.
The background to the Schrems case is a complex one. The case is the continuation of an earlier complaint made by Schrems against Facebook in 2013. In 2013, Schrems filed a complaint with the Irish data protection authority claiming that Facebook's transfer of EU citizens' personal data under the Safe Harbor framework to Facebook in the U.S. violated their rights.
In a landmark finding in October 2015, the CJEU held that the Safe Harbor framework was invalid (Schrems I). We wrote about this decision here. Amongst other reasons, this decision was based on the fact that U.S. legislation did not limit the interference with an individual's rights to what is strictly necessary.
Since then, Schrems reformulated his complaint. Schrems decided to challenge the transfers to the US performed on the basis of the SCCs. The use of the SCCs was the alternative mechanism Facebook relied on to legitimize EU-U.S. data flows, as they could no longer rely on the Safe Harbor provisions following Schrems I. The Irish data protection authority brought the Schrems II proceedings before the Irish High Court who referred 11 questions for a preliminary ruling.
The key questions referred to the CJEU included:
- Whether the use of SCCs for transfers of personal data to third countries offers sufficient safeguards as regards to the protection of those freedoms and fundamental rights
- Whether the laws and practices in third countries are relevant when considering whether SCCs can be relied on to legitimize transfers of personal data to third countries
- Whether transfers of personal data to the U.S. will breach the EU Charter of Fundamental Rights, and in particular, Article 7 (privacy) and Article 8 (data protection) rights
- What role, if any, the Privacy Shield decision has on evaluating the transfers of personal data to the U.S. based on SCCs
Advocate General opinion
The key findings of the AG were as follows:
- The SCCs are valid. The SCCs provide a general mechanism applicable to transfers of personal data irrespective of the third country destination. The appropriate safeguards afforded by contractual means guarantee the appropriate level of protection.
- The main purpose of the SCCs is to compensate for any deficiencies in the protection afforded by the third country of destination, which the data exporter and importer contractually undertake to respect. The question of whether the SCCs adequately compensate for those deficiencies cannot depend on the level of protection guaranteed in the third country of destination.
- The compatibility of the SCCs with the EU Charter of Fundamental Rights depends on whether there are sufficiently sound mechanisms to ensure that any transfers based on the SCCs are suspended or prohibited where the SCC clauses would be breached or impossible to honor.
- The AG reiterated that the subject matter of the main proceedings relates to the validity of the SCCs and that any findings relating to the validity of the Privacy Shield decision could not influence the outcome of the dispute in the main proceedings.
Organizations relying on SCCs for legitimizing transfers of personal data outside the European Economic Area (EEA) should find comfort in the AG opinion. Provided the CJEU follows the AG opinion, there should be no significant changes to the current regime. However, the AG states that "a supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer," and "where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means." Therefore, organizations should ensure that the SCCs are being complied with in practice, or risk the transfer being suspended by a supervisory authority.
We will continue to monitor any developments closely, but in the interim, SCCs and the Privacy Shield remain a valid mechanism for the transfer of personal data to third countries pending the final ruling in Schrems II.
We expect to see the CJEU's judgment in the case in the first half of 2020. Keep an eye on this blog for future updates!