The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years.
Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU) that challenges the validity of the European Commission’s decision that Standard Contractual Clauses for Transfers to Data Processors (SCCs) are sufficient to address cross-border data transfer restrictions. SCCs have been the bedrock of cross-border personal data transfers outside the European Union for many years, such that this case has broad commercial implications for companies that do business globally. The a.g.’s opinion is a preliminary step in the process before the CJEU issues its final decision on the matter. The a.g.’s opinion is not binding on the court, but generally is viewed as persuasive.
In the opinion today, the a.g. advises that the SCC should not be invalidated, but that reliance on the SCC requires companies to undertake certain additional measures to assure compliance. In particular, a data exporter (i.e., the controller that transmits the personal data outside the EU) needs to make their own assessment as to whether the data importer (typically a service provider in a third country) is able to comply materially with all SCC requirements. A data exporter cannot simply enter into SCCs and not assess for itself whether a specific importer will comply with them. Notably, the a.g. advised that the court should not take this opportunity to rule on the validity of a related transfer mechanism, the EU-U.S. Privacy Shield, although the opinion suggests that a full court review of Privacy Shield may lead to concerns about transfers under that mechanism.
The specifics of the ultimate decision by the CJEU may not be known for several weeks, but this is a signal that the outcome may make it more difficult to transfer personal data outside the EU.
Given the very wide use of SCCs in many companies’ global compliance plans, companies should prepare now to evaluate their existing data transfer agreements for their adequacy in protecting data subjects’ rights, bearing in mind that they are subject to scrutiny by national data protection regulators; and, if they are not, to evaluate alternative grounds and approaches to addressing the cross border transfer issue.
For international companies this means that:
- The SCC will remain available as a data transfer instrument, but present an incrementally greater risk as the associated transfers remain subject to scrutiny by (national) Supervisory Authorities and subject to complaints of (activist) data subjects.
- Data exporters must confirm that the data importer is in fact complying with all its commitments under the SCCs.
- National DPAs have the powers to suspend the transfers if exporters (controllers) do not meet their responsibilities in this respect and are being encouraged to use them.
- This does not just concern the USA: it applies to all third countries for which SCC are used, including major industrial nations such as Brazil, India and even the UK, when the transition agreement on Brexit with the remaining EU members expires.
- In case of doubt, a new dilemma arises: should the exporter approach its DPA for guidance, or remain silent and accept the risk of liability and enforcement actions? To mitigate these risks, a number of options are available:
- Assess and document the risks for the importer to become subject to requirements under local law that exceed the scope of the GDPR. A data protection impact assessment may be a helpful tool; in any event, the assessment needs to be made on a country-by-country and importer by importer basis.
- Work on relationships with the (lead) DPA to keep abreast of their views on specific third countries and specific situations.
- In case the SCC safeguards cannot be guaranteed in a specific situation, SCCs cannot be used. Other choices can include Binding Corporate Rules (BCRs) for intercompany transfers, adequacy findings for countries, Privacy Shield (subject to the point above), derogations, and other approaches.