The Advocate General to the CJEU has published his long awaited opinion in the ongoing litigation by Max Schrems in relation to the lawfulness of transfers of personal data by Facebook to the USA. While the headlines may suggest that the Standard Contractual Clauses are a lawful basis for transfers, it is worth looking at the detail.
In particular, EU controllers should be aware that the AG does not view reliance on the SCCs as a “free pass” for transfers outside the EEA, and has also expressed concerns about whether Privacy Shield is compatible with EU law.
EU data protection law prohibits transfers of personal data outside the EEA unless a finding of adequacy has been made by the Commission in relation to the destination country or the exporting controller has utilised one of a number of methods approved by the Commission for international transfers. No finding of adequacy exists in relation to the USA. To assist organisations looking to transfer personal data to the USA, the Commission and the USA put in place self-certification scheme called “Safe Harbor”.
In the first Schrems case, Mr Schrems challenged Facebook Ireland’s transfer of his personal data to Facebook Inc’s servers in the US. In 2015, the CJEU declared that the European Commission’s approval of Safe Harbour scheme data transfers from the EU to the US was invalid, as EU data was not adeuqately protected from surveillance by US law enforcement agencies.
Following the demise of Safe Harbor, many organisations switched to using Standard Contractual Clauses (SCCs) for data transfers, as approved by the European Commission in Decision 2010/87 for transfers outside the EEA. Safe Harbour was also replaced with a new EU-US transfer regime called Privacy Shield. The Commission contended that Privacy Shield remedied Safe Harbour’s inadequacies, though national supervisory authorities expressed concern.
Mr Schrems reformulated his complaint and challenged Facebook’s use of SSCs and Privacy Shield. The Irish High Court referred the matter to the CJEU and ‘Schrems 2’ emerged. Parties presented their views in a hearing that commenced on 9 July and the Advocate General’s (AG) non-binding Opinion was published on Thursday 19 December.
SSCs are valid, but…
Mr Schrems argued that the SSCs could not justify the transfer of his personal data to the USA, as there is no remedy to invoke his Charter rights in the US jurisdiction.
The AG has opined that, on the face of it, SCCs afford an adequate level of protection and therefore transfers of data by such means does not violate provisions in the European Charter of Fundamental Rights. In the AG’s opinion, the Commission’s 2010 decision adopting the SCCs is valid.
However, this depends on whether there are “sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.” It must be ascertained whether the safeguards provided in the SSCs make it possible to ensure data subjects have effective legal remedies. That AG went to say that such a transfer should be suspended or prohibited when the clauses cannot be complied with because they conflict with the laws the destination country.
In short, if it is not possible for personal data to be protected, then the transferring controller should suspend those transfers. If the controller fails to do so then the relevant supervisory authority should order the suspension or prohibition of the transfer.
In other words, controllers cannot simply rely on the SCCs. They still need to consider whether local laws conflict with the protections that the SCCs purport to provide.
It is (in this case) for the Irish Data Protection Commissioner to order Facebook to stop transferring personal data to the USA if it considers that US laws conflict with the provisions of the SCCs.
What about Privacy Shield?
Privacy Shield was approved by the Commission in 2016 as a a replacement scheme for transfers of personal data to the USA.
Among other improvements over Safe Harbor, Privacy Shield saw the creation of a US Privacy Ombudsperson to ensure redress is available to individuals. Mr Schrems challenges the legal redress available to EU citizens and the US’ retention of data and intelligence service access to it.
The AG opined that as the sole issue before the Irish Courts is the validity of the Commission’s 2010 Decision on the SCCs, the CJEU does not need to respond to the Irish High Court’s questions in relation to the validity of Privacy Shield. However, the AG did express concerns as to whether the Commission’s decision on Privacy Shield conforms with EU data protection law.
In particular, the AG stated it is necessary to examine whether the US Privacy Ombudsperson will provide an effective remedy before an independent and impartial body and whether recourse ensures independent control of surveillance measures. The AG’s view is that it does not – the Ombudsperson is designated by the Secretary of State and is not independent of the executive. For these reasons, the AG doubts whether Privacy Shield is compatible with GDPR, the Charter and the European Convention of Human Rights.
The CJEU will now commence deliberations on the evidence heard during the hearing and the AG’s Opinion. Once the CJEU has published its judgment, then the matter will be remitted back to the Irish courts for further consideration.
The opinion will provide some comfort for EU controllers that currently rely upon the SCCs for transfers around the world. It will also be of interest to controllers and processors in the UK that are likely to receive rEU data post-Brexit.
However, even if the CJEU follows the AG’s opinion, given the concerns expressed by the AG over Privacy Shield and the need for DPAs to assess whether local laws may conflict with the SCCs, it is clear that this matter has some way to run. Watch this space.