On December 19, 2019, the Advocate General for the Court of Justice of the European Union (“CJEU”) issued a nonbinding opinion in case 311/18, commonly called Schrems II. The Irish High Court referred 11 questions to the CJEU related to whether the EU standard contractual clauses provide “appropriate safeguards” for the transfer of personal data out of the EU to countries like the U.S. Among other views expressed by the Advocate General, he proposed that the CJEU find the standard contractual clauses valid.
The issues in Schrems II mirror those in the well-publicized Schrems I decision, in which Austrian lawyer and privacy activist, Maximillian Schrems, filed suit with the Irish Data Protection Commissioner alleging that Facebook Ireland improperly allowed U.S. authorities to access personal data in violation of EU data protection laws. These laws include the EU Data Protection Directive (the predecessor to the General Data Protection Regulation (the “GDPR”)) and the EU Charter of Fundamental Rights (the “Charter”). To much public commentary, in Schrems I, the CJEU invalidated the U.S.-EU Safe Harbor Framework.
In light of the cancellation of the Safe Harbor Framework, continuing to cite the U.S. government’s allegedly indiscriminate ability to access data, Schrems turned his attention to the contracts used between the exporter and importer of data containing standard protection clauses adopted by the European Commission (the “Commission”). These are the standard contractual clauses at issue in Schrems II.
The Advocate General outlined three mechanisms commonly used by non-EU entities to legitimize cross border data flow. As a starting point, a transfer can be authorized by a finding by the Commission that the transferee state ensures an “adequate level of protection” for the transferred data. These states are the countries that have received an “adequacy decision” from the Commission. Second, data transfers may be authorized by way of consent of the data subject. Third, a cross border transfer is authorized when accompanied by “appropriate safeguards.” These safeguards often take the form of the so-called standard contractual clauses at issue in Schrems II.
Summary of Opinion
In the introduction of the opinion, the Advocate General stated that his analysis as a whole “will be guided by the desire to strike a balance between, on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’, and, on the other hand, the need to assert the fundamental values recognized in the legal orders of the Union and its Member States, and in particular in the Charter.”
In its referral for preliminary determination, the Irish High Court asked the CJEU to determine the level of protection required when a transfer is based on the standard contractual clauses. In his response to this question, the Advocate General concluded that, when standard contractual clauses are used, protection must be “essentially equivalent” to that which “follows from the GDPR, read in light of the Charter.” The Advocate General based this conclusion on the objective of Article 46(1) of the GDPR in particular and on the aim of the GDPR as a whole. Whether the full CJEU will agree with this assessment is yet to be seen.
The Advocate General’s response to the requests from the Irish High Court was that “the questions for a preliminary ruling has in [his] view disclosed nothing to affect the validity of Decision 2010/87 [the standard contractual clauses].”
Implications for the Privacy Shield
Schrems II does not directly challenge the validity of the E.U.-U.S. Privacy Shield (the “Privacy Shield”). The Privacy Shield, adopted in Decision 2016/1250, permits undertakings conducted by entities which have self-certified their adherence to certain data privacy principles. As many have commented, Schrems II questions whether certain transfers of personal data to the U.S. represent a wholesale violation of the Charter. If a violation of the Charter is found, the reasoning goes, then the Privacy Shield would necessarily fall. The Advocate General’s opinion, however, signals that the Privacy Shield may remain valid.
What does this mean for you?
Aside from standard contractual clauses and the Privacy Shield, U.S. organizations are left with a limited number of alternatives for transferring personal data from the EU to the U.S. These alternatives include (1) binding corporate rules, which take years to get approved and are inflexible, and (2) freely given consent, which can be unreliable due to the ability to withdraw that consent. The Advocate General’s opinion signals that the standard contractual provisions and Privacy Shield may still be valid options, but impacted entities should take careful stock of data being transferred out of the EU and monitor this space.
Vinson and Elkins tracks developments related to data privacy laws in the United States and abroad and helps businesses operate smoothly in this changing landscape.