In the latest development in the Schrems II proceedings, the Advocate General has recommended that the Court of Justice of the EU should rule that the Standard Contractual Clauses (SCCs) continue to be valid and should not consider a number of related questions that were referred to it, including questions relating to the validity of the Privacy Shield decision in these proceedings. However, if the CJEU does consider the Privacy Shield decision, the AG has queried its validity.
In the opinion of Advocate General Henrik Saugmandsgaard Øe, which was delivered on 19 December, the AG stated that his analysis was generally guided by the desire to strike a balance between the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’ and the need to assert the fundamental values recognised in the legal orders of the Union and its Member States, and in particular in the EU Charter of Fundamental Rights. Key points made in the Opinion include the following:
- The sole issue in the main proceedings before the Irish High Court is whether Decision 2010/87, whereby the Commission established the controller to processor SCCs, is valid. As a result, a number of the questions referred to the CJEU, including questions relating to US laws and practices and the Privacy Shield decision, are not required to be answered and should not be addressed in these proceedings. These elements of the Opinion are likely to be disappointing to the Data Protection Commission who requested the referral of a broad range of questions to the CJEU.
- The SCCs provide a general mechanism applicable to transfers of personal data to third countries, irrespective of the third country of destination and the level of protection guaranteed there. They are designed to operate on the basis that, in and of themselves, they provide for ‘appropriate safeguards’ afforded by the exporter.
- The validity of the SCCs depends on whether there are sufficiently sound mechanisms available to ensure that transfers based on the SCCs are suspended or prohibited where the SCCs are breached or are impossible to honour.
- The SCCs are valid because controllers purporting to rely on them are obliged not to do so where the laws of the destination third country conflict with the SCCs and make it not possible to comply with them, and if controllers fail to comply with this obligation then data protection authorities should exercise their powers to prohibit or suspend transfers in such circumstances.
- Data protection authorities are not merely empowered but obliged to exercise their supervisory and enforcement powers to perform the tasks assigned to them under the GDPR, including in connection with transfers to third countries.
- There is a risk that different data protection authorities may take different approaches regarding suspending or prohibiting transfers based on SCCs to specific third countries, however the cooperation and consistency procedures provided for in the GDPR are available to resolve divergent approaches.
- The resolution of the dispute in the Irish High Court which led to the referral of questions to the CJEU does not require the CJEU to rule on the validity of the Privacy Shield decision. While the AG does not consider it to be necessary for the Privacy Shield decision to be considered, in case the CJEU decides otherwise the AG also provides, in some detail, his own view regarding the validity of the Privacy Shield decision. If Privacy Shield is considered by the CJEU, the AG has expressed doubt about its validity.
An Advocate General’s opinion is a non-binding recommendation to the CJEU. AG’s opinions tend to be followed in the majority of cases, but not invariably. It remains to be seen whether the CJEU will follow the AG’s recommendations, both in relation to the range of questions that are properly required to be considered in this case and in relation to the substance of the AG’s analysis regarding the points he considered. It would not be surprising if the CJEU takes a different approach on certain elements.
If the CJEU does follow the AG’s opinion, one of the likely consequences is that the onus will shift back to data protection authorities, such as the Data Protection Commission, to decide whether SCCs may be relied on to legitimise transfers to a specific third country where there are concerns as to whether the protections provided for by the SCCs cannot be complied with due to the laws or practices of that third country. In addition, according to the AG, all data exporters and importers who rely on the SCCs should also be carrying out careful considerations of the laws and practices in third countries to which personal data is exported in order to satisfy themselves that such laws and practices would not undermine the protections provided for by the SCCs.