Schrems II - Advocate General's Opinion
Case C-311/18 Data Protection Commissioner v Facebook Ireland LtdThe question
Are the standard contractual clauses (SCCs) compatible with the requirements of data protection legislation, irrespective of the level of protection in the country of transfer?
The key takeaway
The Advocate General recommended that the CJEU upholds the validity of the SCCs, on the basis that they provide a valid mechanism of transfer regardless of the level of protection in the country of transfer.
The SCCs are clauses issued by the European Commission that offer safeguards on data protection for the international transfer of data. A complaint was made to the Irish Data Protection Commissioner (DPC) by the privacy activist, Max Schrems. Mr Schrems complained about Facebook Ireland transferring his data outside the EU to Facebook Inc in the USA. The US data processing was authorised based on the SCCs, however Mr Schrems argued that the US regime did not provide the data protection safeguards he was entitled to under EU law.
The DPC had concerns that there was no sufficient US remedy for an EU citizen, whose personal data may be at risk of being accessed by US state agencies for national security purposes, in a way that was incompatible with the EU Charter of Fundamental Rights. The DPC sought a ruling on the validity of the SCCs.
The Advocate General noted that, if the European Commission has not decided that the level of protection in a third country is adequate, the data controller can proceed with the data transfer if sufficient safeguards are in place; the SCCs can be one of these safeguards.
The Opinion discusses two methods of ensuring GDPR protections on data transferred to third countries are met. One is an adequacy decision – the third country’s law and practices awards protection equivalent to the GDPR, read in the context of the EU Charter. The second is the use of the SCCs, which contractually ensure the required level of protection regardless of the level of protection guaranteed in the third country.
However, there must be a method of ensuring that SCC-based transfers can be suspended or prohibited where those clauses are breached or impossible to honour.
Why is this important?
An obligation appears to be imposed on companies and foreign authorities to suspend or prohibit data transfers where there is a conflict between the SCCs and the third country’s laws. Hence data importers should review their transfers and inform the exporter should compliance with the SCCs be impossible due to national security laws in the importers’ jurisdiction.
Companies are expected to review the national security laws of the data importer to ascertain compliance and examine all transfers made under SCCs carefully.
Although the Advocate General’s opinion is not binding, it provides a useful perspective to the CJEU when it makes its final decision.
Any practical tips?
Don’t relax quite yet. We await the CJEU’s final decision, and it does not necessarily always follow the Advocate General’s lead. Also, the Advocate General expressed doubts as to the validity of EU-US Privacy Shield. With the death of the Safe Harbour regime still in recent memory (Schrems I), it feels like there could be yet further change in the shifting sands of international data transfers. For now, the SCCs remain your best bet.