The validity of standard contractual clauses for personal data transfers outside of the European Union recently became the subject of a ruling, albeit nonbinding, of a major European court. The eagerly awaited 19 December 2019 opinion contains the findings of the Advocate General of the Court of Justice of the European Union. The opinion was issued following a preliminary ruling referral by the High Court of the Republic of Ireland in a dispute brought by activist Maximilian Schrems against Facebook and the Irish Data Protection Authority, and involving, inter alia the government of the United States.
The findings leave a mixed first impression. Although the Advocate General shares, to a certain extent, the analysis of challengers to the legality of standard contractual clauses between a controller and a processor (as adopted by the European Commission Decision 2010/87), he nevertheless concludes that the clauses are valid under EU law.
The Court of Justice based its ruling on the articulation of Articles 45 and 46 of the GDPR. According to these Articles, it is only “[i]n the absence of an [adequacy] decision” that a controller or its processor must accompany the intended transfer of personal data to a third country with “appropriate safeguards.” In so doing, the Advocate General not only confirms the formulation of those provisions, but clarifies their scope.
According to the Advocate General, the purpose of the safeguards in Article 46 of the GDPR is to compensate for shortcomings in the protection afforded by the legal system of a third country where the processor, the recipient of the information, is located. Such contractual guarantees, intended to replace possible third country shortcomings, do not share the same status as an adequacy decision, since the adequacy decision’s purpose is to verify whether the level of personal data protection is sufficiently high as compared to that of the European Union. Under these circumstances, the review of their validity can only be different. In order to ensure the level of protection resulting from standard contractual clauses, a case-by-case examination is therefore required for each specific transfer. In practice, it is thus up to the controller to conduct such examination, under the supervision of the competent protection authority.
As the Advocate General refers to each company the task of verifying the validity of the standard contractual clauses it has signed, the value of the opinion might seem to be limited. This is not so. The importance of the opinion lies in its analysis of the essential aspects of personal data protection, the operational impacts of which are major for any organization considering a transfer outside of the European Union based upon standard contractual clauses.
Review of Past Events under the GDPR
The first aspect of the ruling is not necessarily the most important. The Advocate General's opinion reiterates a position now common in the Court of Justice of the European Union, as in certain protection authorities, including the French CNIL, according to which future decisions are to be delivered under the GDPR, even if they relate to facts pre-dating the GDPR.
This was the holding in the Fashion ID opinion, where the Court relied on Article 80(2) of the GDPR to confirm the interest in acting of consumer interest associations. It was also one of the factors underlying the judgment in Planet 49, which held that the GDPR is applicable to facts which occurred earlier, this time on the grounds that the purpose of the proceedings initiated was to put an end to conduct continuing after the date of entry into force of the GDPR.
In the case of standard contractual clauses, the reason is simpler. It follows from Article 94 of the GDPR, according to which these provisions essentially substitute for those of the previous Directive of 24 October 1995.
A GDPR applicable only to Cross Border Transfers, but to be considered in Further Processing
The second aspect of the Advocate General’s ruling has a broader impact. It does not concern the classification as processing of the transfer of personal data outside the European Union, but rather the scope of the GDPR. In the Advocate General’s view, the scope is limited to transfers outside the European Union per se. It does not directly apply to processing operations subsequent to the transfer, especially where the transfer has an initial commercial purpose, and the further processing operations have an enforcement purpose. This solution makes sense. Such further processing is in fact carried out by a third State, in this case the United States, on its territory and for a national security purpose which is in essence specific to the purposes of the US authorities, who are competent for such processing. This circumstance, therefore, has no impact on the rules applicable to the actual transfer operations from the European Union to the third country.
This does not mean, however - and this was the main purpose for the referral - that the opinion validates any transfer outside of the European Union based upon a simple agreement. The existence of further processing by a third State for security purposes within that State was therefore considered, but only within the context of the initial transfer.
Which Level of Protection?
The question then becomes whether standard contractual clauses should “achieve a level of protection corresponding to the same standard of ‘essential equivalence’ as that established by an adequacy decision. According to the Advocate General, the answer does not depend upon the obligation to ensure a high level of personal data protection.
This is required both under Article 45 of the GDPR on adequacy decisions and under Article 46 of the GDPR on appropriate safeguards, including those of a contractual nature. In both cases, the purpose of these provisions is to ensure a continuity of the level of personal data protection beyond the borders of the territory of the European Union to which the GDPR applies. However, the answer depends on how this level of protection is ensured.
The Advocate General reads Article 44 of the GDPR to require that the rules it lays down on the transfer of personal data outside the European Union be respected by controllers and their processors “including for onward transfers.” In his view, it is not a question of applying the rules in the form of some sort of perfectly identical continuum, which is unrealistic given the differences in regulations within and outside the European Union. It is rather to ensure – in the form of a negative rule – that the level of protection is not “compromised,” using the terminology of the European regulation itself.
Appropriate but, above all, Effective Safeguards
Under these circumstances, it does not matter that the third State receiving the personal data transmitted by a controller within the European Union is not bound by the standard contractual clauses in European Commission Decision 2010/87. The only thing that matters is the existence of “sufficiently sound mechanisms to ensure that transfers [in question] are suspended or prohibited where those clauses are breached or impossible to honour.” What is, therefore, at issue is first and foremost the effectiveness of the guarantees provided.
In practice, this is significant for all countries, such as Australia, South Africa, India, Singapore, Hong Kong, the People's Republic of China, South Korea and even, after Brexit, the United Kingdom, which do not yet have, or will not soon ensure, a level of protection equivalent to that of the European Union. The ruling is also significant for countries that already do provide EU-level protections, such as Japan, Israel or Argentina, to the extent that entities located in such countries make further transfers to other destinations. No country is therefore spared.
Accountability – Guarantee of the Validity of Standard Contractual Clauses
The Advocate General's opinion is most instructive with respect to the validity of standard contractual clauses in such situations. He bases his reasoning on a now key principle of the GDPR: accountability. In so doing, he invites European courts to continue the work on the allocation of competencies that his opinion has begun. While the question of the adequacy of the level of protection offered by third countries falls within the jurisdiction of the European Commission, under the scrutiny - this is the contribution of the Schrems I judgment - of the Court of Justice, the question of the validity of contractual clauses remains with another actor. This is the data controller, who falls under the scrutiny of the competent protection authority. What remains is to identify how this authority determines the adequacy of protection.
Data controllers should bear in mind that the “the standard clauses are not breached where the importer complies with mandatory requirements of the national legislation applicable to it in the third country.” Respecting the law, even that of a third State, is obviously not in itself illegal. Quite the contrary. Rather, data controllers need to monitor the scope of this local regulation, especially if it goes “beyond” what is necessary in a democratic society. In other words, violation of the standard contractual clauses only results from compliance with a requirement of the third State that exceeds what is proportionate to safeguard a legitimate interest recognized by the European Union.
Data controllers who rely on standard contractual clauses to transfer personal data outside of the European Union are, therefore, required to conduct a verification. By reference to Recital 108 of the GDPR, this verification consists of ensuring that data subjects have “effective rights (...) and remedies,” including the right to seek effective administrative or judicial remedies or to initiate actions for damages, whether in “the [European] Union or in a third country.” Since the criterion offers an alternative, it is thus enough that the standard contractual clauses guarantee such mechanisms. For the Advocate General, that was indeed the case, since Article 3 of the standard contractual clauses provides data subjects with a right of action against the exporter in the event of infringement of the GDPR or, where such an exporter has ceased to exist, the possibility of enforcing the clause against the importer. Article 6 supplements this provision by providing a right to obtain damages for the violation in question, while Article 7 makes the situation subject to mediation or to court action, according to the parties’ choice. In addition, the Article requires the importer to “certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the exporter,” and even requires the importer to notify the exporter without delay of any change that could have an adverse effect on the safeguards and obligations to which it has subscribed.
In addition to these provisions, the powers of each Member State Data Protection Authority also apply. For the Advocate General, these are also effective. They cannot be limited to exceptional cases, especially under the GDPR. By application of these provisions, the European Data Protection Authorities do not have a completely discretionary power, but rather an obligation to suspend or prohibit any unlawful transfer of personal data outside the European Union. The risk that different authorities will take different positions from one authority does not, per se, change the situation, since – as a remedy – the GDPR, explicitly provides a mechanism for cooperation and coherence.
Ultimately, only if the importer of personal data is unable to comply with the standard contractual clauses must the exporter, under the scrutiny of the competent Data Protection Authority, then suspend the transfer. Failure to do so results in the clauses being deemed invalid.
Elements to be Verified
The operational consequences of such a conclusion are onerous. Indeed, they require data controllers to review each of the standard contractual clauses they have concluded, without presuming the level of protection of the receiving State. It is, therefore, a conscientious review.
In practice, the elements to be verified are customary. They primarily focus on the general characteristics of the processing. According to the Advocate General, they consist of taking into consideration “all of the circumstances [specific to] each transfer, which may include” (the list being non-exhaustive):
- “the nature of the data and whether they are sensitive”; and,
- “the mechanisms employed by the exporter and/or importer to ensure its security.”
The data controller’s analysis should thus first focus on enforcing the standard contractual clauses against the importer, especially with respect to the right to take action against the importer in the event of a defaulting exporter or, to obtain compensation from the importer for the breach of these provisions.
The analysis, however, does not stop there. It also involves examining “the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country”. For that purpose, it is therefore necessary – as the Advocate General acknowledges – to refer to the list used to recognize the adequate level ensured, if that level is not guaranteed by the rules of the third State concerned. That list includes the rule of law, respect for human rights and fundamental freedoms, relevant legislation, public safety, criminal law and access by public authorities to personal data.
Hence there arises a certain paradox in the Advocate General's position. In his view, the review of the appropriateness of standard contractual clauses should not be performed in the same way as the review of the adequacy of third State regulations, which belongs to the sole jurisdiction of the European Commission under the supervision of the Court of Justice. However, contractual review overlaps with such analysis, to the extent it requires identifying the risks of breach by an importer of the commitments made.
Impact Assessment as an appropriate Balancing Tool
This presents a delicate balancing test for data controllers. In this, the Advocate General in a way revives the original position of the Article 29 Working Party – which he did not, however, explicitly support – which aimed at conducting an impact assessment in the case of international transfers of personal data.
At most, data controllers may draw from adequacy decisions, where they exist, as a “starting point.” The United States is the most typical example of this, since the “Privacy Shield,” authorizing the transfer of personal data to all US companies having signed into the system, obviously does not extend to those that have not.
In the absence of adequacy decision, data controllers have no choice but to refer to analyses of the Court of Justice, as long as the European Data Protection Authorities have not made public their guidance. That's where the difficulties begin. In the meantime, the methodology proposed by the Advocate General is interesting to explore. Of course, it only deals with adequacy decisions. It does, however, provide important reference points.
In sum, the Advocate General’s method consists of transposing to a third State the same analytical framework as one would use for an equivalent provision within a Member State, such as a restriction of a fundamental right. The reference provisions for making the comparison may, therefore, vary. If the equivalent measure falls within the scope of a law of the European Union, then the European Charter of Fundamental Rights and the European Convention on Human Rights must be relied upon. If, on the other hand, such a measure for national security purposes would not, if adopted by a Member State, fall within the scope of European Union law, only the European Convention would require review. In this, the Advocate General is consistent with the case law of the Court of Justice, which did the same by invalidating (in its Digital Rights judgment) EU Directive 2006/24, on the retention of traffic data by local authorities. The Court of Justice then extended (with its Schrems I judgment) the solution to the “Safe Harbor,” allowing US companies to have personal data transferred from the European Union, before adoption of the “Privacy Shield.”
Transposed to the scale of each transfer carried out on the basis of standard contractual clauses, the analysis by data controllers requires them to examine in great detail the scope of the transfer in question, its necessity, its proportionality and, above all, the safeguards surrounding it under the third State’s regulations. The analysis thus differs according to the purpose of the transfer.
If the purpose is exclusively commercial, the risk of invalidity of the standard contractual clauses will indeed be lower. The same applies to the operations carried out, as in the present case, via the Facebook social network, despite subsequent access – which is certainly still possible, but above all in a non-recurring and non-continuous manner – to that information by US authorities. In such a case, the impact assessment of the risk of the standard contractual clauses will then be conducted as if the question fell within the competency of the GDPR within a Member State, in light of the European Charter of Fundamental Rights and the European Convention for the Protection of Human Rights.
Conversely, the risk of breach of standard contractual clauses may be significantly higher if initial collection also occurs at the time of a commercial service and the transfer is in fact necessary to safeguard the public interest of a third State. This could include operations similar to the transmission, even indirectly, by private operators (such as airlines) of the personal data of their users (e.g. passengers) to the authorities of a third country, in particular those responsible for customs or immigration. In such a case, the impact assessment should be conducted only with reference to the European Convention for the Protection of Human Rights, where compliance with minimum safeguards must be verified.
As the Advocate General points out, the safeguards include “a clear indication of the nature of the offences which may give rise to an interception order; a definition of the categories of people whose communications are likely to be intercepted; a limit on the duration of the implementation of the measure; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.” Faced with these requirements, there is no doubt that the extensive cybersecurity regulations of third countries such as Russia or China are likely to raise important issues for data controllers transferring personal data to a company located there.
We await the final position of the Court of Justice, scheduled in the next few months, and expect it to follow the Advocate General, at least in part. This happens in most cases and would demonstrate...accountability.