Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems (Case C-311/18) (Schrems II). On 19 December 2019 the Attorney General issued their opinion on the 11 questions raised in that case, in advance of the Court of Justice of the European Union’s (CJEU’s) ruling due in early 2020. We discussed the issues raised in the case in advance of the oral hearing earlier this year.
Crucially the CJEU is expected to rule on two key issues (by reference to the 11 questions raised in the case):
- The adequacy of transferring data under the EU’s Standard Contractual Clauses (SCCs), also known as the Model Clauses. This is currently the mechanism used by Facebook, one of the defendants, to transfer personal data from an EU company (Facebook Ireland) to a non-EU company (Facebook Inc, incorporated in California).
- The adequacy of transferring data from the EU to the US by relying on the US Privacy Shield to provide appropriate safeguards. Schrems argues that, due to US surveillance laws, this conflicts with the EU human right to privacy.
Standard Contractual Clauses
Despite the action being attributed in the media to Schrems, the question of the validity of the SCCs was sent to the CJEU entirely by the Irish Data Protection Commissioner (DPC). Both Schrems and Facebook have argued that the problems with the SCCs could be addressed by a targeted solution, as Article 4 of the SCCs purports to give regulators (including the DPC) the power to order Facebook to “suspend” the data transfers in individual cases.
The different positions of the parties are:
- Facebook contends that the SCCs are adequate and that there is no conflict between US surveillance laws and the EU right to privacy (and so its current data transferring processes are adequate).
- Schrems argues that the SCCs are generally adequate (they can be used in relation to data transfers to all third countries, not just the US), but that the DPC must use their purported powers to limit the transfers to the US by Facebook, as the rights of EU citizens are not adequately protected in relation to US surveillance laws.
- The DPC argue that the SCCs are not functional, and so should be declared invalid. This would mean that the DPC does not need to intervene or use its purported powers under Article 4 of the SCCs in relation to Facebook. Schrems contends that this is merely a method for the DPC to avoid “doing its job”.
It seems that the Attorney General agrees, in the most part, with the position of Schrems. The Attorney General is of the opinion that the SCCs are valid. It is the data controller or, where they fail to act, the supervisory authority who is obliged to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the SCCs and those imposed by the law of the destination third country, those clauses cannot be complied with.
Whilst this will be a relief to the thousands of businesses who rely on the SCCs for daily transfers of data out of the EU to destination across the globe, it may still cause issues for some of the larger US organisations. Schrems concludes that, if the CJEU follows the Attorney General’s reasoning, this decision will limit the impact to companies (such as Facebook) that fall under a specific US surveillance law, including “FISA 702”. Only in this situation would the DPC be obliged to step in to suspend the data transfers.
Previously the European Commission has explicitly held that US surveillance law is compliant with EU law (in the ‘Privacy Shield decision’). Consequently, the questions raised in Schrems II also, inadvertently, challenge the Privacy Shield decision.
US Privacy Shield
According to the Advocate General, the ruling on Schrems II does not require the Court to rule on the validity of the Privacy Shield decision and, in fact, the CJEU should not answer this question “with the sole aim of helping the DPC to deal with that complaint”.
Despite this, the Attorney General retains certain doubts over the privacy shield and sets out, in the alternative, the reasons that lead him to question the validity of the Privacy Shield decision in the light of the right to respect for private life and the right to an effective remedy. The opinion notes the inherent conflict between the requirement for the NSA to have access to, and intercept, data and the right to privacy of the EU data subject. An infringement of these rights can only be permitted if it is “provided for by law”. The Attorney General’s opinion casts doubt on “the sufficiently clear and precise nature… and the existence of sufficient guarantees to prevent the risk of abuse” in relation to FISA 702.
The Attorney General also discusses the perceived inadequacies with the Privacy Shield due to the lack of access to an effective remedy under US law. The European Commission has already recognised this and appointed an ombudsman under the Privacy Shield. However, the Attorney General, again, tends to agree with Schrems, noting that the ombudsman is not appointed as a matter of law and could be cancelled “without any particular guarantee” and that the ombudsman gives no guarantee of a remedy (such as rectification or erasure).
Whilst this opinion is a good indication of how the CJEU will rule in early 2020 (roughly 80% of rulings follow the Attorney General’s opinion) it is by no means a guarantee. Businesses that transfer data from the EU to the US should consider reviewing their data flows and preparing risk assessments to assess any dangers posed by a decision from the CJEU which calls into question to validity of the Privacy Shield or SCCs.