In December, an Advocate General to the Court of Justice of the European Union (“CJEU”) issued an advisory opinion in the Schrems II case that impacts standard contract clauses (“SCCs”) and the EU-US Privacy Shield, two common safeguards currently used by US companies to enable the transfer of personal data from the EU to the US. Generally, the transfer of personal data from the EU to another country outside the EU is prohibited under EU data protection laws unless the EU has determined that the receiving country provides adequate protections or uses other approved safeguards. The US is not considered to be a country that provides adequate protections.
The Advocate General’s opinion confirmed the general validity of SCCs as a legal mechanism for transnational data transfer but suggested that SCCs may be insufficient where a third country’s laws impose conflicting obligations. The opinion, which is not binding but will likely influence the decision by the CJEU, offers at least temporary good news for companies that transfer European residents personal data to non-EU countries. The opinion, however, was critical of US national security and intelligence practices, laying the groundwork for the CJEU and the data protection authorities (“DPAs”) of EU member states to scrutinize individual arrangements that rely upon SCCs as the legal mechanism to transfer data to the US. The opinion also recommended that the CJEU avoid ruling on the validity of the EU-US Privacy Shield, but there have been at least some indications that the CJEU may be interested in taking on that broader issue. The CJEU is expected to issue a decision in the next three to six months.
The advisory opinion stems from the case known as Schrems II (Case C-311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems), brought by Ireland’s Data Protection Commission (“IDPC”) and the privacy activist Maximilian Schrems. Schrems, whose prior litigation led to the CJEU’s invalidation of the US-EU Safe Harbor Framework (the predecessor to the EU-US Privacy Shield), is arguing that SCCs do not sufficiently protect the privacy of EU residents’ personal data from US surveillance laws, and consequently, are inconsistent with the EU’s General Data Protection Regulation (“GDPR”). SCCs are a popular mechanism by which companies that transfer data from the EU can comply with GDPR. The other primary mechanism is the US Department of Commerce’s EU-US Privacy Shield certification program.
The Advocate General’s opinion concluded that SCCs provide a valid general mechanism to transfer personal data outside of the EU. However, the Advocate General advised that the decision to use SCCs for a particular data transfer must be examined on a case-by-case basis, which includes consideration of “the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure its security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country.” The Advocate General stated that data controllers (e.g., technology and social media companies) and supervisory authorities (e.g., the IDPC and other member state DPAs) are obligated to suspend or prohibit a data transfer when the laws of the US or other non-EU countries make it impossible to comply with the SCCs. For example, if a third country enacts a law that requires telecommunications services providers to grant the public authorities access to personal data without any restrictions or safeguards, then companies must stop the transfer of affected data to that third country.
Despite the Advocate General’s recommendation that the CJEU does not need to decide the validity of the Privacy Shield to rule in Schrems II, the opinion makes several observations that “question the validity” of the European Commission’s decision that the Privacy Shield ensures an adequate level of protection for EU to US personal data transfers and could lead the CJEU to take on the issue.
The opinion’s description and analysis of US intelligence activities reflects, in some respects, a less than comprehensive understanding of the complex authorities of US national security agencies. Nevertheless, the opinion’s lengthy analysis will likely be central to the resolution of the Schrems II case, as well as any specific matters reviewed by member state DPAs.
The CJEU’s decision can be of even greater significance in light of Brexit. If the EU does not determine that the United Kingdom (“UK”) provides adequate protection to personal data as a part of Brexit negotiations, the EU will require that data transfers between the EU and UK be accompanied by appropriate safeguards. Currently, the majority of affected multinational companies will likely rely on SCCs to transfer personal data from the EU to UK following Brexit. Should the Advocate General’s opinion be adopted by the CJEU, there could be a wave of inquiries by various member state DPAs of individual data transfer arrangements from the EU to the UK.
For the time being, the status quo remains. To prepare for the coming CJEU decision, US companies should carefully evaluate their data transfer arrangements with both EU and UK entities and take stock of data sharing practices with the US Government. A rejection of the EU-US Privacy Shield by the CJEU would potentially require significant restructuring of transatlantic data sharing arrangements. As we await the CJEU’s decision, companies should consider other approved safeguards or mechanisms for transfers of personal data rather than rely on the Privacy Shield for personal data transfers from the EU to US, such as, if applicable, binding corporate rules or the exceptions provided under Article 49 of the GDPR. Even a more narrow CJEU decision that adopts the recommendations of the Advocate General would potentially lead to numerous and uncoordinated actions by member state DPAs. Either way, this matter warrants particular attention as it could create enormous complications for companies doing business with Europe.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.