EU Advocate General upholds validity of use of Standard Contractual Clauses (SCCs) for data transfers to third countries.
Case C-311/18. Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems.
Advocate General’s opinions are not binding on the Court of Justice of the European Union (CJEU), but the CJEU generally follows the advice of the Advocate General (AG).
Accordingly, many organisations which use SCCs in their data privacy legal architecture will breathe a (cautious) sigh of relief today at the news from Luxembourg.
In an Opinion published today, 19 December 2019, AG Saugmandsgard Oe held that the use of the clauses, often called “model clauses” is valid. A ruling by the CJEU will follow in some months. The AG did not, however, rule on the legality of the EU-US Privacy Shield, finding that it was not necessary in the current case for him to do so.
The AG did also sound a note of warning: a reminder that there is an obligation on data controllers; and where they fail to act, on the national supervisory authorities; to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the SCCs and those imposed by the law of the third country of destination; those clauses cannot be complied with.
In other words, one cannot simply sign a set of SCCs and ignore the impact that the national laws in the destination country will have upon them. This foresees a much more active role by national supervisory authorities than has previously been the case.
We will issue a more detailed note in due course, but for now, the decision is largely seen as an early Christmas gift to those companies who have relied on SCCs to transfer data to third countries.