The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.
Although not binding on the CJEU, the AG’s Opinion, which suggests that Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries (SCCs) is valid, may well be indicative of the future validity of SCCs – arguably the most commonly adopted safeguard to ensure adequate protection for personal data transferred outside the EU. Having said that, interestingly, the Opinion also suggests that data controllers (and supervisory authorities) will be obliged to suspend or prohibit international personal data transfers where conflicts arise between the SCCs and the law of third countries to which personal data are transferred if such law means that the SCCs cannot be complied with, so organisations relying on SCCs will also need to consider this.
The GDPR provides that transfers of personal data to third countries or international organisations (i.e. countries or organisations outside the EU) are permitted only where either the EC Commission has made an “adequacy decision” in respect of the destination countries or organisations, or such transfers are made subject to appropriate safeguards (as set out in the GDPR) to ensure adequate protection for such data, or if one of a number of listed derogations for specific situations applies. In the absence of an adequacy decision, organisations can ensure that internationally transferred personal data are adequately protected in various ways, including through the use of binding corporate rules (if personal data are being transferred between entities within the same corporate group), obtaining the explicit consent of the individuals to whom the personal data relate and through the use of SCCs, where an EU-based data exporter enters into an appropriate agreement with a non-EU-based data importer. Many organisations rely on SCCs as being a relatively straightforward and cost-effective method of ensuring compliance with their data protection obligations regarding internationally transferred personal data.
Schrems II follows on from the first Schrems case (C-362/14), which resulted from a complaint made by Maximillian Schrems, an Austrian privacy activist, to the Irish Data Protection Commission. Mr Schrems complained about the transfer by Facebook Ireland of his personal data to the USA where it could be accessed by certain US authorities in ways that, he argued, breached applicable EU data protection laws. Eventually, Schrems I led to the CJEU invalidating the US-EU safe harbor framework (which also resulted from a Commission Decision), which had been relied upon by many organisations to ensure that personal data transferred from the EU to the US were adequately protected. In the light of this, many organisations began to utilize SCCs to protect personal data transferred to the US (as well as to other third countries) although, ultimately, the safe harbor scheme was replaced by the more robust US-EU Privacy Shield scheme. Schrems II challenged the validity of the SCCs for similar reasons to those advanced in Schrems I.
Interestingly, the Opinion questions the validity of the Privacy Shield Commission Decision in the light of the GDPR, especially in respect of inadequate transparency regarding access to personal data transferred from the EU by US intelligence authorities and the effectiveness of remedies available to the relevant data subjects. However, the AG’s view is that the CJEU is not required to rule on this in the context of Schrems II, as the ECJ was not specifically requested to consider this question. If the CJEU does not do so, the European Commission has indicated that it will consider the impact of the CJEU’s judgment in Schrems II on Privacy Shield, but currently Privacy Shield remains a valid mechanism for EU/US personal data transfers. On a related issue, the activities of British intelligence authorities may lead to similar debates post-Brexit if US intelligence activities (as revealed by Snowden) also involve the British intelligence authorities.
While the Opinion will provide some comfort to those organisations currently relying on SCCs to ensure that personal data that they transfer internationally are properly protected, as required by the GDPR, this is not the end of the story – organisations will need to wait for the CJEU’s judgment (expected in early 2020) to discover whether or not they can continue to use SCCs to protect personal data transferred outside the EU, going forward. If the CJEU disagrees with the AG, such organisations would have to find alternative valid transfer mechanisms to rely on, although which alternatives will be most appropriate is currently not completely clear.