The Court of Justice of the European Union (CJEU) heard oral submissions on Tuesday regarding the validity of standard contractual clauses (SCCs) in Facebook Ireland & Schrems (Case C-311/18) (“Schrems II”). The Advocate General’s non-binding opinion (to be released in December 2019) will be analysed closely – SCCs underpin international transfers (not just to the US) and the outcome has repercussions for the EU-US Privacy Shield. Judgment is expected in early 2020.
What is the case all about?
Following a complaint by privacy campaigner Max Schrems to the Irish Data Protection Commissioner (DPC) regarding Facebook’s reliance on SCCs to transfer personal data from the EU to the US, the DPC commenced legal proceedings in the Irish High Court seeking a declaration on the validity of SCCs. The Irish High Court, focussing on Article 47 of the EU Charter of Fundamental Rights (the Charter), endorsed the DPC’s concerns (outlined here) and sought reference to the CJEU on the validity of SCCs.
The Irish High Court referred 11 questions (outlined in pp.20-24 of the ruling) – despite Facebook’s unsuccessful appeal to block the reference in the Irish Supreme Court. The first, and primary, question is whether EU law (including the Charter) applies to the transfer of personal data for a commercial purpose pursuant to SCCs from a private company in an EU member state to a private company in a third country, which may be further processed in that third country by its authorities for purposes of national security, law enforcement, and foreign affairs. Simply put, does access by US national security agencies to personal data from the EU break EU data protection laws – and does this invalidate SCCs?
The DPC asserts that the access and indiscriminate processing of personal data by US national security agencies (via surveillance programmes such as PRISM and Upstream) invalidates the adequacy of SCCs. However, whilst the DPC’s questions are focussed on EU-US transfers, a CJEU decision to invalidate SCCs will impact all international transfers pursuant to SCCs – not just with the US.
Schrems II follows “Schrems I” in 2015 (C-362-14). In the 2015 judgment, which caught most by surprise, the CJEU found transfers of personal data from the EEA to the US under the “Safe Harbor” data transfer scheme to be unlawful due to inadequate protections. In response, the EC authorised the Privacy Shield in coordination with the US government. In assessing the adequacy of data transfer safeguards between the EU to US, Schrems II considers the relevance (but not adequacy or validity) of the Privacy Shield Decision (see referred question nine). It remains unclear what impact Schrems II will have on the Privacy Shield – or how the Privacy Shield will impact the CJEU’s decision on SCCs. The CJEU General Court (Court of First Instance) was due to consider the adequacy of personal data protections under the Privacy Shield in La Quadrature du Net v Commission (Case T-738/16) (LQdN) on 1 July 2019. The hearing has been vacated to await the CJEU’s judgment in Schrems II.
What are the alternatives?
The alternatives to SCCs depend on the context of the international transfer, or the European Data Protection Board (EDPB) codifying guidelines for alternative mechanisms referenced under GDPR, which they have yet to do:
- Adequacy decisions: full adequacy findings are rare – only 13 countries or territories are recognised as providing full or partial protection. The EU-US Privacy Shield (challenged indirectly by Schrems II and directly by LQdN) grants only partial adequacy – US data importers must be certified to receive certain personal data types.
- Binding Corporate Rules (BCRs): allowing multinationals to send personal data to group entities outside the EEA (if signed up to an internal code of conduct regulating international transfers) BCRs must be approved by supervisory authorities. Involving a lengthy approval process, BCRs cannot be implemented quickly.
- Contractual clauses or codes of conduct authorised by a supervisory authority: no final guidelines for “approved codes of conduct” or “certification” mechanisms exist. The EDPB has published draft Guidelines on codes of conduct, and will publish final certification guidelines by autumn 2019. As a result, supervisory authorities (including the UK’s ICO) have not accredited any certification bodies or codes of conduct.
- Article 49 GDPR derogations (e.g. consent, contractual performance): the EDPB considers use of derogations to be a last resort in the absence of other mechanisms – they are impractical for large-scale or repeat transfers.
If the UK withdraws from the EU without agreement (or adequacy decision) on 31 October 2019, personal data transfers to the UK from the EU will be considered ‘third country’ transfers under the GDPR. SCCs will be the favoured mechanism (subject to the CJEU’s judgment on Schrems II) – see the ICO’s recommendation for small to medium-sized organisations. The current SCCs have not been updated to reflect GDPR, for example references exist to the (defunct) Data Protection Directive 95/46/EC. Whilst the ICO states that (separately to Schrems II), the EC intends to update SCCs, it seems unlikely these updates will be made prior to CJEU’s judgment in Schrems II. Until such amendment or replacement, the existing SCCs remain valid.
What can you do?
It is premature to implement alternative arrangements when CJEU has not passed judgment. However, organisations making international transfers of personal data should ensure they understand the legal basis of such transfers. Where SCCs are used, organisations may consider identifying alternative safeguards in the event SCCs are ruled inadequate.
The CJEU’s ruling that Safe Harbor was invalid in October 2015 caused similar headaches for organisations conducting personal data transfers to the US. In the event SCCs are found to be invalid it is likely that supervisory authorities will set pragmatic compliance deadlines (at least informally) to allow organisations to re-organise compliance structures.