A European Court of Justice advocate-general’s opinion in Schrems II has argued that standard contractual clauses should remain in force – but that companies and regulators must check that the contracts actually protect data, and that the EU-US Privacy Shield could be invalid.
Advocate-general Saugmandsgaard Øe today said there is no reason to declare standard contractual clauses (SCCs) invalid. Companies frequently use the clauses to transfer data to non-EU countries, to safeguard data protection rights in jurisdictions that lack privacy rules equivalent to those in the European bloc.
The non-binding opinion comes as part of the long-running dispute between privacy activist Max Schrems and Facebook, in which Schrems has argued that Facebook’s subsidiary in Ireland should not be allowed to transfer data to its US parent company, as American laws require that data be passed to law enforcement authorities. A judgment is expected early next year.
The advocate-general sided largely with the arguments put forward by Schrems – who has not argued that SCCs should be scrapped; that position was only put forward by the Irish data regulator.
Schrems has proposed a “targeted solution”, in which the Irish regulator would force Facebook to suspend transfers from its Irish arm to the US, on the grounds that Facebook cannot adhere to the terms of the SCCs it uses because US surveillance legislation forces it to share data.
Øe today said arguments about whether there is EU-equivalent protection of data in the country where a company receives information is irrelevant to the assessment of whether SCCs are valid. The clauses are designed to protect data in countries that have not been deemed adequate by the European Commission, he said, meaning the safeguards contained within SCCs are at issue – not the contents of third countries’ surveillance laws.
“Since the raison d’être of the contractual safeguards consists specifically in compensating for any deficiencies in the protection afforded by the third country of destination … the validity of [SCCs] … cannot depend on the level of protection guaranteed in each of the individual third countries to which data might be transferred,” he said.
“The validity of [SCCs] depends only on the soundness of the safeguards which those clauses provide in order to compensate for any inadequacy of the protection afforded in the third country of destination.”
It is the responsibility of the companies involved in data transfers to assess whether the receiving company can in practice adhere to the terms of the SCCs – or whether surveillance and law enforcement regimes in the receiving country mean that the safeguards contained within model clauses will be undermined, advocate-general Øe said.
If companies fail to do so, that responsibility passes to relevant data protection authorities, the advocate-general said. If regulators find that SCCs cannot be complied with, they must “remedy that illegality”, he said – if necessary by suspending the transfer.
In an unexpected move, the advocate-general also commented negatively on the validity of the EU-US Privacy Shield, which allows companies to self-certify their data protection practices as “essentially equivalent” to those required in the EU. Companies covered by the Privacy Shield are deemed to have adequate levels of data protection.
Advocate-general Øe said that the validity of the Privacy Shield does not affect the validity of SCCs, as the standard clauses are designed for use in cases where countries have not been designated as adequate by the European Commission; whether the Privacy Shield provides proper protections is therefore not relevant to the safeguards provided by SCCs, he said.
However, he said it was necessary to provide an opinion on the validity of Privacy Shield, in case the ECJ’s judges decide not to follow his opinion and rule that the Privacy Shield’s validity affects SCCs.
Øe acknowledged Schrems’ claims that US surveillance law does not provide safeguards against “generalised access to the content of the communications … and therefore compromises the very essence of the data subjects’ right to respect for private life”. The advocate-general said: “I tend to share those doubts.”
“I entertain doubts, in particular, about whether the purposes of the processing at issue are defined with sufficient clarity and precision to ensure a level of protection essentially equivalent to that prevailing in the legal order of the [EU],” he said.
He also argued that the US Ombudsperson scheme – the process for challenging collection of data for surveillance purposes – does not constitute a proper judicial remedy.
Observers agreed that the opinion marks a positive outcome for businesses, given the number of companies that use standard contractual clauses.
Richard Cumbley, a partner at Linklaters in London, said: “Putting aside the legal niceties of it, it’s extremely good news for businesses in and outside Europe. It’s particularly good news for businesses in the UK – people were really worried about SCCs being struck down and a Brexit trade deal being done that would have required adequacy. If we’d lost SCCs, that would have been really damaging.”
But many also acknowledged that should the court follow the advocate-general’s opinion, companies will take on more due diligence responsibilities regarding their use of SCCs.
Eduardo Ustaran, a partner at Hogan Lovells in London, said the opinion “places the onus on companies and, ultimately, on regulators, to scrutinise the functioning of the contractual protections in practice. In essence, this means that organisations transferring data out of the EU cannot just sign the agreement and forget about it. Instead, they must ensure the importing organisation can comply with it.”
Jörg Hladjk, a partner at Jones Day in Brussels, said the ECJ should help guide companies and regulators in assessing conflicts between SCCs and surveillance laws. “There needs to be criteria that enables either the company or the [authority] to do a proper assessment so that it’s not only left up to the courts. It may provide good criteria and guidance in the upcoming judgment for making an assessment – it doesn’t have to be exhaustive but I think the ECJ should use this as an opportunity to help companies and [data protection authorities] do this better,” Hladjk said.
Marit Hansen, data commissioner for the German state of Schleswig-Holstein, told GDR that the GDPR makes it clear that responsibility for protecting data lies with the controller. “This encompasses knowledge of the relevant surveillance or data collection laws with respect to third countries which may result in problematic or unlawful access to the personal data transferred,” she said.
Hansen said that it would be “very helpful” for the ECJ to provide criteria on this issue. “In a dynamic legal field with personal data of all conceivable contexts, I don't think that one data protection authority will have full knowledge concerning all third countries. It remains within the responsibility of the data controller to check the individual case,” she said.
Schrems said in a statement that he is “generally happy” with the opinion. “The opinion is in line with our legal arguments. This is a total blow to the Irish DPC [Data Protection Commission] and Facebook as well as a very important step for users’ privacy,” he said.
A spokesperson for the Irish regulator said that it “welcomes the clarity of the analysis contained in the AG’s [advocate-general’s] opinion”.
A Facebook spokesperson told GDR that the company is “grateful” for the AG’s opinion, noting that thousands of businesses rely on SCCs. The company “looks forward” to the final decision, the spokesperson said.
Lisa Peets, a partner at Covington & Burling in London – who represented intervenor BSA, a business software trade association – said the opinion is “fully in line” with BSA’s arguments and that the opinion is “tremendously important” for companies across the economy that use SCCs.
Lawyers noted that the majority of judgments follow the earlier opinion, though Linklaters’ Cumbley said that judgments diverge more regularly in controversial cases such as this.
Counsel to Irish Data Protection Commissioner
Partner Damien Young in Dublin
Michael Collins SC
Counsel to Facebook
Mason Hayes and Curran
Partners Philip Nolan and Colin Monaghan in Dublin are assisted by Ciaran O'Neill
Philip Gallagher SC
Counsel to Maximillian Schrems
Ahern Rudden Quigley
Partner Gerard Rudden in Dublin
James Doherty SC, Lorraine O’Sullivan SC and Eoin McCullough SC