In an opinion delivered on 19 December 2019, Advocate General Henrik Saugmandsgaard Øe finds that the Court of Justice of the European Union (ECJ) should declare that the Commission's decision on standard contractual clauses (SCCs), widely used for the international data transfers, is valid. William Fry represented BSA The Software Alliance, (which includes Microsoft, Apple, Workday, Adobe and others) before the Irish Court that made this reference.
These proceedings arose from a complaint made by Mr. Schrems to the Office of the Irish Data Protection Commissioner, now the Data Protection Commission (DPC) about the transfer by Facebook Ireland of his data to the United States. After hearing submissions and arguments, the Irish High Court referred eleven questions to the CJEU for determination.
AG Saugmandsgaard Øe determined that the core issue referred from the Irish Court is whether the decision of the Commission that established the SCCs is valid. The SCCs had been used by Facebook Ireland as a lawful basis to legitimate the relevant transfers.
AG Saugmandsgaard Øe states in his opinion that "the standard contractual clauses adopted by the Commission provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there".
If there is a conflict between the obligations arising under the SCCs and those imposed by the laws of the relevant third country, which means that the SCCs cannot be complied with, then there is an obligation on data controllers (the companies exporting the data) to suspend or prohibit the transfer. If a data controller fails to suspend a data transfer, then the obligation falls on data protection authorities, to ensure the data transfer is suspended.
Although not found to be core to the questions referred to the CJEU, AG Saugmandsgaard Øe raised serious questions about the validity of the Privacy Shield decision about the right to respect private life and the right to an effective remedy.
Importance of SCCs for Businesses
BSA (with assistance from the American Chamber of Commerce) conducted a survey submitted to the Irish Court in relation to corporate data transfer practices. The survey found:
- The majority of respondents (89.5%) rely on SCCs for transferring data from the EU/EEA to the United States;
- European based companies are even more dependent than American companies on SCCs for data transfers from the EU/EEA to the United States.
The results of the survey demonstrate the crucial importance of SCCs for global businesses that overwhelmingly rely on them as a legal basis for international transfers.
Challenges Ahead for Businesses
Although AG Saugmandsgaard Øe's opinion is not binding on the CJEU, we expect the CJEU to follow the opinion.
While there will be a collective sigh of relief by businesses with the finding that SCCs themselves appear to be safe, there are at least three key messages for businesses on which they will need expert guidance.
Firstly, there would appear to be a primary obligation on businesses to evaluate the legal framework of the destinations to which data will be sent. Many companies are not currently prepared for this complex task that will require significant due diligence and questionnaires to be raised on the laws of the third countries by data controllers/exporters. This work will need to be done before SCCs can be put in place to show accountability, which is essential for compliance.
Secondly, any businesses currently relying solely on Privacy Shield should plan for a real possibility that a different legal mechanism may soon be needed.
Finally, this opinion also raises a real risk of fragmentation within the EU, at least on an interim basis, with different data protection authorities making different decisions on data transfers.