On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner (“Irish DPA”) in 2015 challenging Facebook Ireland’s reliance on the EU SCCs as a legal basis for transferring personal data to Facebook Inc. in the U.S. Facebook turned to SCCs following the earlier invalidation of the U.S.-EU Safe Harbor Framework.
Schrems alleged that Facebook should be prohibited from transferring data to the U.S. pursuant to the SCCs, as (1) the clauses adopted by Facebook are not consistent with the SCCs, and (2) the SCCs do not ensure an adequate level of protection for EU data subjects. Schrems’ main argument was that U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data unless strictly necessary, as provided for by EU data protection law, and accordingly there was no remedy that would allow data subjects to ensure protection of their personal data once it had been transferred to the U.S. Schrems requested that the Irish DPA suspend the transfer of personal data by Facebook Ireland to the U.S. The Irish DPA, in turn, brought proceedings against Facebook before the Irish High Court, challenging the validity of the SCCs. The High Court subsequently referred 11 questions to the CJEU for a preliminary ruling.
The Advocate General noted that, in considering whether the SCCs afford an adequate level of protection for personal data transferred outside of the EU, it is not necessary to assess whether the laws and practices of the country to which personal data is transferred offer an adequate level of protection. The Advocate General was of the opinion that the SCCs remain valid for the transfer of personal data from the EU to third countries. The mere fact that the SCCs are not binding upon authorities in third countries to which personal data is transferred does not in itself mean that the SCCs do not provide sufficient safeguards. On the contrary, the SCCs contain provisions requiring the suspension of data transfers if it is impossible for the recipient of personal data to honor the protections provided by the SCCs due to local laws and practices. Further, where that is the case, EU data protection supervisory authorities have the power to temporarily or permanently suspend transfers to the country in question.
In reaching his conclusion, the Advocate General adopted a pragmatic approach, and noted “on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world,’ and, on the other hand, the need to assert the fundamental values recognised in the legal orders of the Union and its Member States, and in particular in the Charter.”
The Advocate General’s opinion, if followed by the CJEU in its full judgment (due in 2020), would mean that the SCCs remain a valid mechanism for transferring personal data from the EU to third countries. Although the Advocate General’s opinion is not legally binding, such opinions are followed by the Court in approximately 80% of cases.
The opinion, if followed by the Court, is particularly important in the context of the UK’s withdrawal from the EU. Most organizations have utilized SCCs as part of their Brexit preparations. If the Court agrees with the Advocate General, organizations will be able to continue to rely on the SCCs for transfers of personal data from the EU to the UK after Exit day.
The Irish DPC welcomed the opinion, and noted that the “approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the AG, with national supervisory authorities where a controller fails to discharge its obligations.”
Although the Advocate General noted that the proceedings did not require him to consider the ongoing validity of the EU-U.S. Privacy Shield Framework, as that question is irrelevant to the proceedings at hand, he raised some concerns about the ongoing validity of the Privacy Shield. His particular concern is that the Ombudsman established in the U.S. to adjudicate complaints relating to the use of personal data that is transferred to the U.S. by U.S. intelligence services does not satisfy the condition of judicial independence, and does not provide an effective means by which individuals whose personal data is used by U.S. intelligence services may challenge that use of their personal data, or obtain access to, or rectification or deletion of, that data. It remains to be seen whether the CJEU will address the validity of the Privacy Shield in its full judgment in this case. For now, it appears that the Privacy Shield is likely to remain a valid data transfer mechanism.
The Advocate General’s opinion provides welcome relief to the many companies that rely on the SCCs to transfer personal data from the EU to the U.S. and to numerous other jurisdictions. The EU General Data Protection Regulation provides limited means for companies to transfer personal data outside of the EU, and if the CJEU’s ruling diverges from that of the Advocate General, companies will need to seek alternative means to transfer personal data outside of the EU or suspend those data transfers.