The EU's highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the European Union (EU) for many years.
Today, the advocate general (a.g.) has rendered an opinion on this case, widely known as the Schrems II case, for the court to consider. By way of procedural note, the a.g. typically issues an opinion, which then the full court considers before rendering its final decision. The a.g.'s opinion is not binding on the court, but generally is viewed as persuasive.
The a.g. advises that the SCC are not invalidated, but the a.g. suggests that reliance on the SCC requires companies to undertake certain measures to assure compliance. In particular, data controllers should make their own assessment as to whether the "data importer" is able to comply materially with all SCC requirements. In other words, an exporter cannot simply enter into SCCs and not assess for itself whether a specific importer will comply with them. Notably, the a.g. advised that the court should not take this opportunity to rule on the validity of a related transfer mechanism, the EU-U.S. Privacy Shield, although the opinion suggests that a full court review of Privacy Shield may lead to concerns about transfers under that mechanism.
The specifics of the ultimate decision by the CJEU may not be known for several weeks, but this is a signal that the outcome may make it more difficult to transfer personal data outside the EU.
Given the very wide use of SCCs in companies' global compliance plans, companies should prepare now to evaluate their existing data transfer agreements for their adequacy in protecting data subjects' rights, bearing in mind that they are subject to scrutiny by national data protection regulators; and, if they are not, to evaluate alternative grounds and approaches to addressing the cross border transfer issue.
For international companies this means that:
- The SCC will remain available as a data transfer instrument, but present a greater risk as the associated transfers remain subject to scrutiny by (national) Supervisory Authorities and subject to complaints of (activist) data subjects.
- Data exporters must check regularly that the data importer is in fact complying with all its commitments under the SCCs.
- National DPAs have the powers to suspend the transfers if exporters (controllers) do not meet their responsibilities in this respect and are being encouraged to use them;
- This does not just concern the USA: it applies to all third countries for which SCC are used, including major industrial nations such as Brazil, India and even the UK, when the transition agreement on Brexit with the remaining EU members expires.
- In case of doubt, a new dilemma arises: should the exporter approach its DPA for guidance, or remain silent and accept the risk of liability and enforcement actions? To mitigate these risks, a number of options are available:
- Assess and document the risks for the importer to become subject to requirements under local law that exceed the scope of the GDPR. A data protection impact assessment may be a helpful tool; in any event, the assessment needs to be made on a country-by-country and importer by importer basis.
- Work on relationships with the (lead) DPA to keep abreast of their views on specific third countries and specific situations.
- In case the SCC safeguards cannot be guaranteed in a specific situation, SCCs cannot be used. Other choices can include Binding Corporate Rules (BCRs) for intercompany transfers, adequacy findings for countries, Privacy Shield (subject to the point above), derogations, and other approaches.
The opinion can be found here
What is the background to the Schrems proceedings?
The case has its roots in a complaint made by Maximilian Schrems to the Irish Data Protection Commissioner ("DPC"), because his personal data was being transferred from Facebook Ireland Ltd to its US parent company. In his opinion, his personal data was then being accessed unlawfully by US national security agencies.
In this article, we will first have a brief review of the initial case ("Schrems I") of the transfers under 'Safe Harbour.' We then give an overview of the proceedings after Safe Harbour was struck down: the transfer continued under Standard Contractual Clauses (SCCs) and Mr. Schrems reformulated and resubmitted his complaint to the DPC ("Schrems II"). Next we will summarize the questions that were referred to the Court of Justice of the EU ("CJEU") in this context and today's opinion of the Advocate General 'Henrik Saugmandsgaard Øe' ("AG") responding to these questions.
Finally, we will discuss possible consequences of the CJEU decision to be made in the light of the AG's opinion, anticipating the final CJEU decision and potential solution directions.
Mr. Schrems issued his initial complaint to the DPC on 25 June 2013. He challenged the validity of Facebook applying the Safe Harbour agreement, a legal instrument for EU/US data transfers. The DPC declined to investigate the complaint, as it was of the opinion that it was bound by EU law to comply with the Safe Harbour agreement. Mr. Schrems appealed this decision before the Irish High Court, which then decided to refer the issue to the CJEU for preliminary ruling.
On 6 October 2015, the CJEU ruled that national data protection authorities (DPA) are not prevented from investigating individual complaints related to EC decisions and legal instruments based on them, but made very clear that only the CJEU can declare such decisions invalid. Although not specifically asked for, the CJEU declared the Safe Harbour agreement invalid, stating that in adopting Article 3 of the Safe Harbour agreement, the EU Commission (EC) exceeded its powers and made a shortcut on the adequacy procedure laid down in the Directive 95/46/EC. Following the invalidity of the Safe Harbour agreement, the Privacy Shield mechanism was set up as an alternative instrument for EU/US data transfer.
Following the Schrems I decision, Mr. Schrems reformulated and resubmitted his complaint and requested the DPC again to suspend data flow from Facebook Ireland to its US parent company that were now based on the SCCs mechanism. Again, the DPC concluded that it was not possible to close the investigations without a ruling from the CJEU on the validity of the SCC decision. They therefore commenced proceedings before the Irish High Court to seek a preliminary reference to the CJEU on the issue of the validity of that decision.
In its ruling on 3 October 2017, the Irish High Court confirmed that in order for the DPC to close its investigations it was necessary to analyze the validity of the SCC decision. As ruled under Schrems I, this could only be done by the CJEU. To this end, 11 questions were referred to the CJEU for preliminary ruling.
Questions referred to the CJEU
The Schrems II questions referred to the CJEU were based on a number of generic issues of personal data transfer to countries outside the EU and some US specific issues. Finally, the ultimate question was raised: do the EC decisions on Standard Contractual Clauses violates the European Charter of Fundamental Rights?
- Does EU law apply to the further transfer and processing of data by national security authorities in countries outside the EU ("Third Counties")?
- Should potential violations of the rights of individuals through the SCC transfer be determined based on EU or Member State law?
- When assessing Third Countries' level of data protection, should this only be done based on its applicable domestic laws, or should exiting administrative rules, executive orders, etc. also be considered?
- In relation to the EU data protection laws and/or the European Charter of Fundamental Rights ("ECFR"), what is the level of protection required and what matters should be taken when transferring personal data to Third Countries under the SCCs?
- Have national DPAs the power to suspend data flows, if they deem a transfer in conflict with the SCCs, EU data protection laws and/or the ECFR?
US specific issues:
- Is a SCC transfer to the US violating the relevant articles of the ECFR?
- Is the Privacy Shield Decision binding on the national DPAs and courts of the Member States?
- Does the Privacy Shield ombudsperson provide a sufficient remedy in relation to the ECFR?