The Advocate General (AG) says the standard contractual clauses (SCCs) are valid but, where circumstances in the destination third country mean the SCCs would be breached or impossible to abide by, there is an obligation on the data exporter (and, where the exporter fails to act, the relevant supervisory authority) to ensure that any transfers based on the SCCs are suspended or prohibited.
Under the old Directive (95/46/EC) and the General Data Protection Regulation (GDPR), personal data may only be transferred outside of the EEA (i) if the third country to which it is intended personal data be transferred has been the subject of an adequacy decision, (ii) if appropriate safeguards are put in place (e.g. standard contractual clauses), or (iii) on the basis of certain derogations.
Use of SCCs to legitimize a transfer outside of the EEA is prevalent and, if the CJEU were to invalidate such clauses, a huge number of businesses would need to review their data transfer arrangements.
In Schrems I1, Schrems successfully invalidated the Safe Harbor framework (the predecessor to Privacy Shield) covering transfers to the U.S., in his complaint against Facebook.
Schrems then turned his attention to Facebook’s use of SCCs to legitimise transfers to the U.S. following the invalidation of Safe Harbor. On December 19, 2019, the AG issued his opinion in Schrems II2.
Schrems’ argument is that, irrespective of the SCCs, U.S. intelligence services can carry out data surveillance in a manner which breaches the GDPR – namely, by infringing individuals’ privacy and data protection rights.
The Advocate General’s opinion
The AG explained that the purpose of the SCCs is to allow data transfers to third countries not considered to have adequate protections, as any inadequacies are then compensated by the contractual safeguards. However, the SCCs are a contractual mechanism between the exporter and the importer only and do not bind the authorities of third countries to which data are transferred. In that regard, the law of the third country of destination may impose obligations on a data importer contrary to the requirements of the SCCs and may therefore make the obligations in the SCCs impossible to abide by.
However, this does not make the SCCs invalid in and of themselves. In the AG’s view, validity of the SCCs depends on whether there are sufficiently sound mechanisms to ensure that transfers based on SCCs are suspended or prohibited where the SCCs are breached or impossible to comply with.
Accordingly, the AG suggested that there is an obligation on the data exporter (and, where the exporter fails to act, the relevant supervisory authority) to determine for each transfer whether the SCCs provide sufficient protection. In the AG’s view, this determination would involve assessing factors such as the nature of the data and its sensitivity, data security mechanisms and the nature and purpose of any subsequent processing by the importer’s national authorities.
The AG acknowledged the practical difficulties in making supervisory authorities responsible for ensuring that data subjects’ fundamental rights are observed in the context of specific transfers, but considered that those difficulties did not make the SCCs invalid.
The AG also reflected on the validity of Privacy Shield but ultimately concluded that there was no need to examine the validity of Privacy Shield in the present case. He did, however, comment that the retention and access of metadata and content of communications by certain U.S. security authorities constituted an interference with individuals’ rights which cannot be justified under any legal basis and for which there is no effective remedy.
This is the AG’s opinion and not a formal ruling by the CJEU. Although the CJEU does usually follow the opinion of the AG, the opinion is not binding on the Court and thus is not always followed. We expect that the CJEU will give its ruling in the first quarter of 2020.
The AG’s opinion that the SCCs are valid will be a welcome relief to the many businesses that rely on SCCs to transfer personal data outside of the EEA, particularly to the U.S. However, businesses should be aware that, if the CJEU follows the AG’s reasoning and recommendation, there is more of an onus on controllers to make the call as to whether a data importer can actually comply with the SCCs in practice. If a data subject were to make a complaint that the SCCs were being breached, “a supervisory authority must examine with all due diligence the complaint lodged” and “where appropriate, it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means, where the exporter itself has not put an end to the transfer”. Businesses must therefore be conscious that a complaint by a data subject could lead to a supervisory authority suspending a transfer itself and questioning the exporter’s reasoning behind continuance of the transfer.
The message is thus one of caution: continue to use SCCs but be alive to whether the importer can actually comply with the SCCs in practice.