The Advocate General of the Court of Justice of the European Union issued a non-binding written opinion (the “Opinion”) in relation to case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, which is currently being deliberated upon by the judges within the Court of Justice of the European Union.
In his Opinion, the Advocate General held that the use of Standard Contractual Clauses (“SCCs”) which data processing entities must enter into in order to transfer personal data to a country located outside of the EU and that is not subject to an adequacy decision (a “Third Country”) is a valid safeguard in the protection of the personal data being processed. The Advocate General opined that the SCCs in fact offer a sufficient amount of data protection despite some of the concerns raised by Mr Schrems. The Advocate General went on to state that he considers, inter alia, that the SCCs provide a “general mechanism applicable to transfers irrespective of the third country of destination” and that they do not prevent authorities of Third Countries from imposing obligations that are contrary to the requirements of those clauses on the importer of the personal data.
The Advocate General acknowledged that it is the data controller’s obligation, or the regulatory authorities’ obligation where data controllers fail to act, to suspend or prohibit a transfer of personal data where a conflict arises between the obligations arising out of the SCCs and the laws of the country receiving the information.
Although the Opinion is non-binding on the CJEU and is not a ruling, the Opinion is significant as it is often the case that the opinion of the advocate general is followed in the ruling delivered by the judges within the CJEU.
The validity of the SCCs as they currently exist has been called into question since the implementation of the General Data Protection Regulation (2016/679/EU). One of the reasons for this is that the SCCs presently only cater for personal data transfers between controllers and controllers or controllers and processors, and not processors and sub-processors. The importance of the execution of the SCCs is also highlighted as a result of Brexit as data processing entities located within the UK may be considered to be located in a Third Country in the event of a no-deal Brexit. Therefore, implementation of the SCCs by any company located within the EU that processes personal data with an entity located in the UK should be concluded prior to Brexit so as to ensure that the data transfers occur in a lawful manner.