The Attorney General (AG) of the CJEU has delivered an early Christmas present, in the form of an opinion in the latest chapter of the Schrems/Facebook saga.
The opinion confirms that the European Commission's standard contractual clauses (otherwise known as model clauses, and essentially designed to oblige the exporting controller and the importing controller or processor to keep safe any data transferred) remain a valid safeguarding mechanism for businesses seeking to transfer personal data to processors which are located outside the EEA (and in countries which are not the subject of an EU adequacy decision). The opinion is, on the face of it, a positive one for many businesses. However, it does also serve as a reminder that whilst the standard contractual clauses are one of the most common safeguarding mechanisms used by businesses, they shouldn't simply be blindly signed by the parties without due regard for the wider circumstances of the transfer and whether personal data will in fact remain safe.
You may remember the first swipe which Max Schrems took against Facebook, back in 2015, when he complained that in light of the revelations made public by Edward Snowden about the surveillance activities of the US intelligence services, personal data of Facebook users residing in the EU and transferred by Facebook Ireland to servers located in the US, could not be kept safe, despite the Safe Harbour regime in place. That resulted in a finding by the CJEU that the Safe Harbour regime was not fit for purpose, which in turn led to the setting up of the current EU/US Privacy Shield as a safeguarding mechanism for transferring personal data to the US.
However, not content to let that lie, Mr Schrems reformulated his complaint alleging that a data transfer processing agreement which Facebook Ireland had put in place with Facebook Inc. and which incorporated the European Commission's standard contractual clauses, did not provide sufficient safeguards to protect data transferred under it to the US, or the privacy rights of those whose data was concerned.
The AG's opinion today is in response to this complaint, and confirms that since the standard contractual clauses already include an obligation on data controllers to suspend or prohibit transfers when it becomes apparent that the laws of the destination country conflict with the obligations in the clauses to keep data safe, they do constitute a valid safeguarding mechanism for transferring personal data to third countries.
The opinion will no doubt come as music to the ears of the many European, including UK businesses, which rely on the standard contractual clauses to maintain data flows outside the EEA. However, the story is not quite over yet – for a number of reasons. First, the AG's opinion is just that – a non-binding opinion, and we await the final decision of the CJEU early in the new year. Second, there was one spanner thrown – the AG did cast doubt over whether the existing EU/US Privacy Shield was adequate in protecting the right to respect for private life and the right to an effective remedy for breach of that, and we shall again have to see where the CJEU gets to on that. Third, if the CJEU agrees, then that could, notwithstanding any confirmation on the validity of the standard contractual clauses, still pose complications for businesses transferring data to the US, given the AG's reasoning for determining that the clauses remain valid, because it would then be incumbent on businesses which do rely on the clauses, to comply with the obligation to suspend or prohibit data transfers to unsafe destinations.
As referred to above, such a decision, whilst providing certainty for businesses that they can still rely on standard contractual clauses, would also serve as a salutary reminder, and place the onus on them, to assess all the circumstances of the transfer – not simply the measures that the data importer has in place and will take to keep the data safe, but the wider context of the destination country to which the data is being sent, and the nature of the data being transferred and the risks associated with it, and to respond appropriately, for example, by limiting as far as possible, what data actually does get transferred. Furthermore, the AG in his opinion specifically referred to the fact that the clauses not only place an obligation on the parties, but provide enforceable rights and remedies for those individuals affected, against the exporter – though to date, we have not really seen claims being made by individuals in this way. These are not new points, but ones which have become all too easy to forget between parties, in the rush to simply go through the motions and put clauses in place. They are reminders of the expectations which GDPR places on businesses to handle and treat the personal data which they process responsibly, at all points of the life cycle, including transfer out of the EEA, in order to stay on the right side of both the regulators and those individuals concerned.
We shall have to wait and see whether the CJEU agrees with the AG, however, for now, the AG's opinion is at least one step in the right direction for the many businesses which do rely on the standard contractual clauses to transfer data outside the EEA.