On 19 December, the Advocate General issued his opinion in the Schrems 2.0 case concerning the validity of two key data transfer mechanisms: Standard Contractual Clauses (SCCs) and Privacy Shield – mechanisms widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA. In a 97 pages long analysis, the Advocate General developed several arguments. We read the opinion for you and distilled the following 5 key takeaways for businesses.

5 KEY TAKEAWAYS FOR BUSINESSES

Takeaway 1: SCCs continue to be a valid mechanism to support the transfer of personal data to any country located outside the EEA (irrespective of the level of protection guaranteed there).

Takeaway 2: SCCs in principle establish safeguards in relation to a transfer which are sufficient to compensate for any inadequacy of the protection afforded in the destination country.

Takeaway 3: Any data exporter looking to use SCCs (and where relevant Supervisory Authorities who have oversight over the activities of data exporters) has a responsibility to assess whether the law of the destination country may constitute an obstacle to the implementation of the SCCs.

Takeaway 4: The Advocate General does not want to take a formal decision on the validity of Privacy Shield.

Takeaway 5: If the Court, however, were to decide examining the validity of the Privacy Shield, the Advocate General raises “doubts” about its validity.

IMPACT ON BUSINESS

TAKEWAY 1: SCCs continue to be a valid mechanism to support the transfer of personal data to any country located outside the EEA (irrespective of the level of protection guaranteed there).

  • SCCs remain a valid mechanism to support the transfer of personal data to countries which do not benefit from an EU adequacy decision.
  • SCCs are currently the most popular mechanism for supporting transfers to countries that don’t benefit from an adequacy decision, so it is welcome news that the AG believes SCCs may still be used as a valid transfer mechanism.
  • The AG does however add a new caveat – the data exporter is expected not simply to apply the SCCs blindly, but to clearly consider the level of privacy protection provided within the destination country and ensure that if there are any shortfalls in protection, appropriate safeguards are taken to ensure the continuity of the level of protection of personal data afforded under the General Data Protection Regulation (“GDPR”). This will mean undertaking more active due diligence / assessment on the level of protection provided in the destination country and not just simply relying on the existence of SCCs to justify the transfer.

TAKEWAY 2: SCCs in principle establish safeguards in relation to a transfer safeguards, sufficient to compensate any inadequacy of the protection afforded in the destination country.

  • This aspect of the Opinion is helpful in not only restating the validity of the SCCs as a mechanism for transferring personal data, but also giving business confidence they don’t need to undertake a full scale assessment of the level of safeguards provided in the destination country.
  • As a matter of default, the SCCs provide safeguards against to compensate for any deficiencies in the level of protection otherwise afforded in the destination country. Therefore, the fact that a third country of destination does not provide enforceable data subjects rights and effective legal remedies for data subjects is not relevant given that those are being provided by the SCCs.

TAKEWAY 3: Any data exporter looking to use SCCs (and where relevant Supervisory Authorities who have oversight over the activities of data exporters) has a responsibility to assess whether the law of the destination country may constitute an obstacle to the implementation of the SCCs

  • This aspect of the Opinion raises an increased burden of accountability for companies – when a company uses the SCCs they take time to assess and be satisfied that the legal framework of the destination country won’t undermine the validity of the SCCs (eg through local laws which conflict with operation of the principles set out in the SCCs). This means that simply relying on SCCs as a basis for transferring data will not per se guarantee safeguards: the controller will have to undertake a wider assessment on the adequacy of a third country even when adopting SCCs.
  • There is a further risk that a data protection supervisory authority may determine that where it finds that the relevant safeguards offered by the SCCs cannot be guaranteed, they may prohibit or suspend transfers to a particular destination country. This may lead to higher levels of interference by Supervisory Authorities in the flexibility companies’ currently have to effectively transfer data anywhere in the world, with the potential ‘black listing’ of certain countries in the future.

TAKEWAY 4: The Advocate General does not want to take a formal decision on the validity of Privacy Shield.

  • Businesses will be relieved that that Advocate General is unwilling to consider a decision on the validity of Privacy Shield. As a result, data transfers made under the protection of Privacy Shield remain valid and there is no need to put in place any ‘repapering’ to SCCs.
  • Bear in mind however that questions on the validity of Privacy Shield have not gone away as another case is pending on this issue and the Court may still yet find challenges with the regime.

TAKEWAY 5: If the Court, however, were to decide examining the validity of the Privacy Shield, the Advocate General raises “doubts” about its validity.

  • Although business will be pleased that the Advocate General does not seek to formally invalidate Privacy Shield, the “observations” he makes suggest an underlying concern about underlying weaknesses in the validity of the European Commission’s original assessment regarding its adequacy.
  • It is clear the Advocate General has doubts about Privacy Shield and organisations should bear this in mind when thinking about relying on Privacy Shield as a transfer mechanism, as its days may well be numbered.

What will happen next?

The judges of the Court are now starting their deliberations in this case. The CJEU’s judgment typically follows a further three to six months after the Advocate General’s opinion and although the opinion carries significant weight, the Court is not bound to follow it and can (and sometimes does) adopt a different position. We expect a decision to be taken still before the 2020 Easter holidays.

Case reference: case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems