The long-running saga of “Schrems II” looks to be drawing to a close as the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issues his opinion reaffirming the adequacy of model contract clauses (MCCs) to protect personal data transferred outside the EEA.
Max Schrems will be known by many as the man who brought down Safe Harbor in 2015 after bringing a case against Facebook alleging that its use of the framework to transfer personal data to the USA did not comply with European data protection legislation. Schrems’s campaign against Facebook continued with a challenge to Facebook’s reliance on MCCs to legitimise its transfers of personal data to the USA. MCCs are a mechanism used extensively by many businesses to govern transfers of personal data outside the EEA and consist of sets of standard clauses approved by the European Commission (EC) that impose data protection obligations on recipients outside the EEA to ensure broadly equivalent protection for personal data as it would have within the EEA.
The AG’s opinion
The AG’s opinion will certainly come as a relief to organisations that rely heavily on MCCs, as he has confirmed that MCCs remain, as a general rule, sufficient. There is a caveat, however, that may prove significant. The AG confirmed that: “[there] is an obligation – placed on the controllers… and, where the latter fail to act, on the supervisory authorities… - to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the [MCCs] and those imposed by the law of the third country of destination, those clauses cannot be complied with.”
The practical effect of this is that, whilst controllers can continue to rely on MCCs as a valid mechanism of transferring data to recipients outside the EEA, they cannot simply sign the MCCs only to put them in a drawer to be forgotten about. Controllers must conduct an assessment to determine whether the MCCs can, in practice, be complied with, taking into account the laws to which the recipient is subject. The assessment should be ongoing and controllers should continue to scrutinise whether the contractual protections are actually being (and can actually be) complied with.
This could be particularly problematic in the context of transfers to the USA, where companies are legally required to allow the federal government access to personal data for national security purposes. There is a silver lining in that the Privacy Shield arrangement, which allows transfers to US companies that have self-certified with the scheme, has recently passed its third annual review and the AG has stated that he does not see a need to further investigate Privacy Shield. This can therefore continue to be relied on, and organisations transferring personal data to the USA may wish to take a two-pronged approach by implementing MCCs alongside the importer’s Privacy Shield certification, to allow the best possible chance of compliance.
The AG’s opinion will also, no doubt, offer additional reassurance to global businesses who are concerned about data flows to the UK post-Brexit. For many such data flows, MCCs are by far the easiest way to ensure compliance and these businesses will be happy to know that it looks likely that MCCs between EEA countries and the UK will remain an option.
The AG’s opinion is not binding on the CJEU, but the CJEU is very likely to follow it. Even if the CJEU does follow the AG’s opinion, some uncertainty will remain around the scope of the controller’s obligation to assess the recipient country’s laws to establish any conflicts between those laws and the requirements in the MCCs. We would hope to see regulatory guidance issued on the practicalities of conducting such assessments.