Following a legal challenge to the validity of data transfers from organizations in Europe to organizations in countries like the United States, the opinion of the Advocate General (AG) of the Court of Justice of the European Union (ECJ) in Case C‑311/18 on the use of the European Union’s standard contractual clauses (SCCs) gave such transfers a green light to proceed. Although the AG’s opinion is not binding on the ECJ, it is often followed; the ECJ’s final decision is expected shortly.
Case C‑311/18 is important, given that SCCs (for data transfers to controllers and to processors located outside Europe) are widely used by thousands of organizations. The main plaintiff in the case, well-known privacy activist Max Schrems, who launched the case that invalidated the former EU–US Safe Harbor framework, had argued that European data exporters should not be allowed to transfer users’ data to the United States because that information could be turned over to US government agencies, including intelligence agencies, in certain cases without due process for the EU data subjects.
The governments of Ireland, Germany, Austria, Belgium, Netherlands, and Portugal and the European Data Protection board filed opinions, or amicus briefs, with the ECJ. The AG’s opinion is a nonbinding advisory opinion to the ECJ.
In the AG’s detailed opinion, Henrik Saugmandsgaard Øe suggests that there is “nothing to affect the validity of EU Decision 2010/87” (the European Commission’s February 2010 decision on the adequacy of data protection that SCCs provide between data controllers and data processors). The basis for the AG’s opinion is as follows:
- EU law applies “to transfers of personal data to a third country where those transfers form part of a commercial activity, even though the transferred data might undergo processing, by the public authorities of that third country, for the purposes of national security.”
- SCCs “provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there,” which is why they are used for data exports to organizations in countries that do not benefit from European Commission adequacy decisions.
- The AG considered that the validity of SCCs depends on “whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.” This means that it is incumbent on a data exporter to suspend the data transfer flow if it has a reasonable basis to believe or suspect that the SCCs are being breached or cannot be implemented by the data importer.
The AG states that “the validity of that decision does not depend on the level of protection that exists in each third country to which data might be transferred.” This is because SCCs themselves provide the contractual protections for data subjects’ rights as well as a comparable standard to European data protection law (under the former European Data Protection Directive, now replaced by the General Data Protection Regulation).
Certainty for International Organizations
The good news is that the AG suggests that EU Decision 2010/87 is valid. Otherwise, thousands of data flows that have relied on SCCs for nearly 10 years would have been invalidated. We anticipate that the ECJ decision will be along the same lines as the AG’s opinion.
Role of Data Protection Authorities
As the AG observes, if one data protection authority (DPA) suspended data flow to the United States or any other country without an adequacy determination it would create havoc. Suspending data flow is such a drastic measure that is only imaginable in specific cases and under certain conditions:
- The AG states that a DPA “must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the SCC.”
- The DPA must also use its “discretion” and must only suspend “the transfer . . . if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means.”
- The DPA must also provide a reasoned opinion that could then be scrutinized by a competent court. There is also the possibly that data subjects will claim remedies as third parties under the provisions of the SCC.