On December 19th 2019, the Advocate General (AG) of the Court of Justice of the EU (CJEU) published his opinion in the ongoing litigation brought by privacy activist Max Schrems (colloquially known as Schrems 2) regarding the lawfulness of personal data transfers by Facebook Ireland to Facebook Inc. in the United States. The opinion recommends that standard contractual clauses (SCCs) be upheld as a lawful basis for transferring personal data outside of the EU, provided certain conditions are met, but calls into question the lawfulness of the EU-US Privacy Shield. Considering the pervasive use of SCCs by organisations in order to transfer personal data outside of the EU, the opinion is welcome news for data processors and controllers operating internationally.
The transfer of personal data outside of the EEA is prohibited by EU data protection law, unless a finding of adequacy for the destination country is made by the European Commission (EC), or if the data controller has relied on an approved method of transfer. As no finding of adequacy has yet been made regarding the United States, the US government and the EC instituted a self-certification program called ‘Safe Harbour’ in order to help organisations transfer personal data from the EU to the US.
Mr. Schrems’ first case (Schrems 1) successfully challenged transfers of personal data from Facebook Ireland to the US servers of Facebook Inc. (headquartered in Menlo Park, California); the CJEU ultimately held that Safe Harbour was invalid. After the decision, many organisations which wished to continue transferring personal data outside of the EEA came to rely on EC-approved SCCs, or the EU-US Privacy Shield which replaced Safe Harbour in 2016. While the EC claimed that the Privacy Shield sufficiently dealt with Safe Harbour’s legal shortcomings, Mr. Schrems subsequently challenged Facebook’s use of SCCs and the Privacy Shield, which was eventually referred to the CJEU by the Irish High Court.
Opinion on Standard Contractual Clauses
Mr. Schrems argued that the SCCs should not permit Facebook to transfer his personal data to the US, as they do not afford a remedy to invoke the EU Charter of Fundamental Rights (EU Charter) in the US jurisdiction. Specifically, Mr. Schrems argued that US data protection law fails explicitly to limit interference with a data subject’s right to protection of personal data, as afforded under the EC’s 2010 Decision establishing SCCs, thereby preventing ensured protection of their data once transferred to the US. Mr. Schrems sought to have the Irish Data Protection Authority (DPA) suspend personal data transfers from Facebook Ireland to the US, and the DPA brought the subsequently referred proceedings to the Irish High Court.
Despite Mr. Schrems’ contentions, the AG opined that SCCs do in fact afford adequate levels of protection, and that transfers based on such means do not violate the EU Charter. In his view, the fact that SCCs are not legally binding upon the third country data protection authorities does not invalidate SCCs for providing insufficient safeguards. In reaching this conclusion, the AG pointed out that SCCs mandate the suspension of data transfers if the data recipient is unable to honour an SCC’s protections due to local laws or practices. Where such a case exists, EU data protection authorities should suspend or prohibit personal data transfers to that country.
Effectively, the AG opined that if it is impossible for personal data to be protected when transferred to a third country, the transferring controller ought to suspend such transfers; where the controller fails to do so, the transfers should be prohibited or suspended by the relevant DPA. In reaching his opinion, the AG stressed the importance of balancing a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’ with promoting the values recognised by the Charter.
The key takeaway is that SCCs do not provide transferring organisations free rein to transfer data to third countries, as they are still required to consider whether local law conflicts with the protections provided for in the underlying SCCs.
In applying this to Schrems 2, it would therefore be incumbent upon the Irish DPA to prohibit or suspend Facebook’s personal data transfers to the US, if they concluded that US law conflicts with the underlying SCC provisions.
Opinion on Privacy Shield
Despite finding earlier in his opinion that there was no need to examine the validity of the Privacy Shield, in part because it assumes recipient state laws needs to afford adequate protection for SCCs in order to be available, the AG raised several concerns regarding whether the 2016 replacement scheme conformed with EU data protection law. One of the changes under the Privacy Shield was the establishment of a US Privacy Ombudsman, tasked with adjudicating complaints and ensuring that data subjects impacted by EU-US transfers have a means of legal redress. Mr. Schrems challenged this aspect of the Privacy Shield and its relation to data retention in the US, specifically access to retained data by US intelligence services.
The AG’s main concern centred on whether the Ombudsman position satisfies the requirement of judicial independence and impartiality, and whether the recourse provided ensures independent control of intelligence surveillance measures. The AG’s opinion was that it does not, as the Ombudsman is an appointee of the US Secretary of State and therefore not independent of the executive branch. For this reason, the AG called into doubt Privacy Shield’s compatibility with the GDPR and the EU Charter.
The CJEU has now commenced deliberations on the evidence made available to the AG, and the Court’s full judgement is due later this year. If the AG’s opinion is followed, this would confirm SCCs as a valid means of transferring personal data from the EU to third countries. While not legally binding, it is worth noting that AG opinions are followed by the Court in roughly 80% of cases.
In the context of Brexit, the opinion is of particular interest to controllers and processors that are currently or plan on transferring data between the EU and UK, as many organisations have relied heavily on SCCs in preparing for Brexit. If the Court follows the AG’s opinion, organisations will be able to rely on SCCs for EU-UK transfers once the UK has formally withdrawn from the EU, providing much needed certainty.
However, if the Court’s ruling diverges from the AG’s opinion, transferring controllers and processors will need to rely on alternative means of transferring data outside of the EU. Furthermore, even if followed, the AG’s concerns over Privacy Shield and the need to assess whether local laws conflict with SCCs may create further problems in the future.