On December 19th the EU Advocate General for the European Court of Justice issued an advisory opinion to the court in the case known as Schrems II. The main question presented to the court is the validity of the EU standard contractual clauses (SCCs) or model clauses as they are also known. Although the context of the case is transfers from the EU to the US, it has been uncertain whether the court would make any conclusions as to the more general viability of these widely used contracts for personal data transfers.
Although the Advocate General’s (AG) opinion is not binding on the court, the court often relies upon the AG’s opinion. So, what are the lessons that appear in the AG’s opinion?
- The SCCs issued by the European Commission (EC) are fine, in and of themselves, to use as a legal basis for transferring data to a third party in a jurisdiction that does not have what the EU considers to be adequate privacy protections;
- The EC’s 2010 decision (2010/87/EU) with respect to the use of SCCs states that the EC – in making the SCCs available – does not mean that a data controller or an EU member state Supervisory Authority (f/k/a DPAs) must use them or must find the SCCs to be effective protecting EU data in every instance;
- It is acknowledged that there may be circumstances in which either the data importer has breached the requirements of the clauses or that the data importer is otherwise incapable of protecting the data (which might occur in a jurisdiction in which rogue national security regimes wantonly vacuum up all personal data, without naming any names). In such circumstances, the SCCs would perhaps not be effective;
- It is therefore the responsibility primarily of the data controller and secondarily of the Supervisory Authority to determine whether the SCCs are effective in a particular circumstance; and
- Oh, by the way, the AG has reservations about the Privacy Shield validity and all but invites relitigation of that transfer mechanism.
So, this suggests that SCCs remain an official choice for now, but break not out the bubbly. This means that each EU data controller is further put on notice about transfers to a) companies and b) jurisdictions. If a US importing company experiences a data breach with EU data received under SCCs that would almost certainly constitute grounds for termination of the SCCs unless the EU data controller can assure itself that the company’s protections remain effective.
More significantly however, EU data controllers and Supervisory Authorities have been more clearly authorized to decide by themselves that the nature of the US government is such that no US importer could possibly comply with the SCCs by preventing disclosure to the USG. It seems unlikely a data controller would make that decision, though a conservative data protection regulator might take that approach. To do so would be inconsistent with the latest health check of Privacy Shield – which suggests that US national security is behaving. The final paragraph of the press release suggests that the AG is skeptical of Privacy Shield. If Privacy Shield falls, then there would be a potential basis for EU exporters and more likely SAs to prohibit US transfers.
Stay tuned, as EU privacy developments continue at a rapid pace.