Following advice issued today by the EU Advocate General, it’s looking increasingly likely that judges at the EU Court of Justice will accept Standard Contractual Clauses (SCCs) remaining as a valid method to transfer data from the EU to third countries and Privacy Shield as the basis on which European’s personal data can be shipped to the US, but will require companies and regulators to monitor compliance by the third party country and stop data transfers if there is non-compliance.
The case began with Maximillian Schrems, an Austrian Facebook user, objecting to Facebook’s Irish subsidiary sending his personal details to servers in the US under the Safe Harbour rules - which Schrems contended were invalidated by the ability of US authorities to ignore any commitments for purposes of national security - as the Edward Snowden revelations made clear the NSA had done.
In an unofficial document issued today for media use, not binding on the EU Court of Justice, the Advocate General sets out the reasons that led him to question the validity of the earlier decision to accept ‘privacy shield’ as ensuring Europeans’ right to respect for private life and the right to an effective remedy.
Commenting on the document in an email to SC Media UK, Eduardo Ustaran, co-head of the global privacy and cyber-security practice at Hogan Lovells, said: "This is a big victory for the European Commission so far, as the Advocate General accepts the reasoning that the standard contractual clauses, as a tool, do their job to protect personal data outside the EU.
"However, it places the onus on companies and, ultimately, on regulators, to scrutinise the functioning of the contractual protections in practice.
"In essence, this means that organisations transferring data out of the EU cannot just sign the agreement and forget about it. Instead, they must ensure the importing organisation can comply with it.
"The Advocate General also seems to question the standard of data protection provided by the Privacy Shield, which appears to be held to a higher standard than the standard contractual clauses."
Bridget Treacy, partner and head of the UK Privacy and cyber-security practice Hunton Andrews Kurth adds, "While not legally binding, the Advocate General’s opinion that the EU Standard Contractual Clauses remain valid will be welcomed by business on both sides of the Atlantic, as the Standard Contractual Clauses are one of the key mechanisms that underpin transfers of personal data to countries outside of the EU, including to the US."
However Treacy also notes how, "... businesses that rely on the Clauses still need to assess whether the recipient can comply with the Clauses in relation to each particular transfer, and suspend transfers when that is not the case. Furthermore, EU data protection supervisory authorities have the power to suspend data transfers pursuant to the Standard Contractual Clauses when an adequate level of protection for personal data cannot be provided in light of local laws and practices in the recipient country."
Treacy adds: "Although the Advocate General’s opinion does raise concerns about the ongoing validity of the Privacy Shield Framework, which many organisations rely upon to transfer personal data from the EU to the US, the Advocate General made clear that those issues are not relevant to resolution of the current case which focuses on the validity of the EU Standard Contractual Clauses. Accordingly, assuming that the Court follows the Advocate General’s opinion, the Privacy Shield looks likely to remain a valid data transfer mechanism for transfers of personal data to the US for the time being.
She says that the Advocate General’s opinion is particularly important in light of Brexit, as it means that businesses will be able to rely on the Standard Contractual Clauses to transfer personal data from the EU to the UK once the UK has left.
Currently, under The General Data Protection Regulation (GDPR) personal data may be transferred to a third country if that country ensures an adequate level of protection of the data. In the absence of a decision of the Commission finding that the level of protection ensured in the third country in question is adequate, the data controller may nevertheless proceed with the transfer if it is accompanied by ‘appropriate safeguards,’ eg a contract between the exporter and the importer of the data containing standard protection clauses. It is the validity of that decision which is being questioned.
Schrems claims that there is no remedy that would allow the persons concerned to invoke, in the United States, their rights to respect for private life and to protection of personal data. The EU supervisory authority sought to determine whether the United States ensures adequate protection of the personal data of EU citizens and, if not, whether the use of standard contractual clauses offers sufficient safeguards.
Advocate General Henrik Saugmandsgaard Øe noted that the question is whether the standard contractual clauses relied on in support of the transfers to which Mr Schrems’ complaint relates — is valid. He found that the standard contractual clauses adopted by the Commission provide a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
However he considers that the fact that that decision and the standard contractual clauses which it sets out are not binding on the authorities of the third country of destination therefore do not prevent them from imposing obligations that are contrary to the requirements of those clauses on the importer, but says that does not in itself render that decision invalid.
Rather, it depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour. And it is this aspect which companies and regulators need to monitor so as to suspend transfers should the need arise. Deliberations are ongoing, with a subsequent ruling to be issued: the Advocate General’s opinion is in most cases followed by the CJEU in its full judgment.
The Center for Data Innovation welcomed the advice but added that these types of arguments create uncertainty and increase risk for businesses by undermining the viability of transatlantic data flows, noting in an official statemet: "This comes at a time when the EU and the United States should be fostering greater cooperation in the digital economy to respond to the risk of growing economic dominance from China. We look forward to the Court's decision next year and urge it to reaffirm the validity of SCCs and the EU-U.S. Privacy Shield."
Antony Walker, deputy CEO techUK also welcomed the suggestion that SCCs will remain valid given that many UK SMEs have invested heavily in putting SCCs in place to ensure that data can continue to flow between the UK and the EU after Brexit.
However he also notes how the Advocate General’s opinion was less definitive on questions around the EU-US Privacy Shield. "The Advocate General questioned the validity of the Privacy Shield on the right to respect for private life and the right to an effective remedy. There will be a lot of focus on how these questions are addressed by the final CJEU ruling. Whilst today’s opinion doesn’t take away all the uncertainty for businesses related to this case, the opinion will be viewed positively particularly given the additional confidence it has given in the legal validity of SCC. techUK hopes that the CJEU upholds this ruling in early 2020 given the huge ramifications for all businesses of ending the use of SCC’s."