In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.
The CJEU’s Advocate General (“AG”) released his non-binding opinion on the case in December 2019, stating that the SCCs provide sufficient protection for EU personal data, but raising the possibility that businesses that rely on them may need to take a proactive role in evaluating whether there is in fact an “adequate level of protection” for personal data in the importing jurisdiction. The AG also raised concerns regarding the Privacy Shield, an alternative mechanism for transferring personal data from the EU to the U.S.
The judgment will be of great importance to businesses around the globe, the vast majority of which rely on SCCs to transfer personal data from the EU to the U.S., and to numerous other jurisdictions. If the CJEU rules that the SCCs are not valid, companies will need to put in place alternate transfer mechanisms, potentially on short notice. Further, such a ruling would impact preparations for transferring personal data from the EU to the UK following termination of the Brexit transition period on December 31, 2020. At present, most businesses are preparing to use SCCs for these transfers.
Background to Schrems II
The case stems from a complaint filed by privacy advocate Max Schrems with the Irish Data Protection Commissioner (“Irish DPA”) in 2015, challenging Facebook Ireland’s use of the SCCs to transfer personal data to Facebook Inc. in the U.S. Specifically, Schrems alleged that the SCCs do not ensure an adequate level of protection for EU data subjects, as U.S. legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law. A key concern was that EU personal data might be at risk of being accessed and processed by the U.S. government once transferred, in a manner incompatible with privacy rights guaranteed in the EU under the Charter of Fundamental Rights.
Accordingly, Schrems argued that there was no remedy allowing EU data subjects to ensure protection of their personal data once it had been transferred to the U.S. Following the complaint, the Irish DPA brought proceedings against Facebook in the Irish High Court, challenging the validity of the SCCs, and referring 11 questions to the CJEU for a preliminary ruling.