20.12.19 Schrems II: the end of standard contractual clauses? We are safe for now…
When transferring personal data from the EU to countries outside the European Economic Area (EEA) not offering adequate protection of personal data, appropriate additional safeguards must be put in place. To do so, companies often rely on the Standard Contractual Clauses (SCCs) issued by the European Commission under Directive 95/46/EC. Whether these clauses remain valid in the aftermath of the Snowden revelations on US mass surveillance is at issue in a preliminary question to the European Court of Justice (ECJ). Yesterday, the Advocate-General published his opinion in the matter (C-311/18).
The Schrems vs. Facebook saga continues. Transferring personal data from the EU to a third country is only possible when “an adequate level of protection” is ensured or when “appropriate safeguards” are put in place. The EU Commission has established Standard Contractual Clauses (SCCs) that can be used for international transfers of EU personal data. However, it should be noted that there is a fundamental difference between European legislation, which seeks to protect data, and for instance US legislation, which is more focused on mass surveillance.
But first, what are SCCs exactly?
SCCs are standard sets of contractual terms and conditions that can be used for international data transfers to countries outside the European Economic Area (EEA). These contractual obligations warrant compliance with the GDPR’s requirements and extend the scope of these rules to territories that are not considered to offer an adequate level of protection for the rights and freedoms of data subjects. SCCs are not only used by the US social media giant Facebook, but are widely used by companies ranging from banks to industrial to transfer personal data to the US and other parts of the world.
The SCCs at stake are the SCCs issued by the EU Commission in 2010 under Directive 95/45/CE. The EU Commission has not yet issued SCCs under the GDPR.
Background of Schrems II
Personal data of European Facebook users are transferred from Facebook Ireland to its parent company Facebook Inc. located in the US. In order to do so, Facebook relies on SCCs. However, given the revelations made by whistle-blower Edward Snowden on the mass surveillance practices of the US intelligence services, the question arose as to whether US law and practices offer sufficient protection against surveillance by public authorities of European personal data that has been transferred to the US.
As the case also originated from a complaint of privacy activist Max Schrems to the Irish Data Protection Commissioner (DPC) against Facebook Ireland, it can be said that it is the sequel to Schrems I, in which the Safe Harbour principles where declared invalid and the decision of the Irish DPC declaring the complaint of Schrems invalid, was annulled. The case came once again before the Irish DPC, where Schrems reformulated its complaint. According to Schrems, it is not possible for Europeans to invoke their rights to privacy and data protection in the US. To investigate this, the Irish DPC brought the case before the High Court, since the decision was dependent on the validity of the SCCs.
The Irish High Court confirmed the concerns of the Irish DPC about indiscriminate mass processing of personal data by US government agencies and the absence of an effective remedy under US law, as guaranteed by Article 47 of the Charter. Given the foregoing, the Irish High Court referred the case to the ECJ raising eleven prejudicial questions on EU-US data transfers.
Opinion of the Advocate-General: key take-aways
In response to the first question, the Advocate-General considers that transfers of personal data to a third country in the framework of a commercial activity and where such personal data are afterwards processed for purposes that include the protection of national security are subject to EU law.
Validity of SCCs
The Advocate-General argues that the SCCs are valid. The Advocate-General concludes that SCCs provide a general mechanism applicable to international transfers, irrespective of the third country of destination and the level of protection guaranteed by it.
The issue arose whether Commission Decision 2010/87, by which the SCCs at stake were issued, is compatible with Articles 7, 8 and 47 of the Charter. The fact that the contractual provisions are not binding on third country authorities, leaving them free to take decisions contrary to those contractual provisions, does, according to the Advocate-General, not in and of itself render the contractual provisions invalid.
The compatibility of the SCCs with the Charter depends, according to the Advocate-General, on “whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour.” The Advocate-General is of the opinion that is the case insofar as “there is an obligation – placed on the data controllers and, where the latter fail to act, on the supervisory authorities – to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.” The Advocate-General concludes that there are in the case at hand no elements indicating that the SCCs would be incompatible with Articles 7, 8 and 47 of the Charter.
Other questions and validity of the Privacy Shield decision
The Advocate-General considers the other questions that were raised by the Irish High Court, as well as the implicit question on the validity of the Privacy Shield, irrelevant in this regard, as they would not affect the finding as to the validity in abstracto of the SCCs or influence the dispute in the main proceedings.
Nevertheless, the Advocate-General could not resist stating his reasoning on the basis of which he would question the validity of the Privacy Shield decision by making reference to the right to respect for private life and data protection and the right to an effective remedy.
Data transfers with companies outside the EEA by way of SCCs are valid, for now…
The importance of this issue cannot be underestimated. Both the SCCs and the Privacy Shield are at stake, as a result of which various organisations have intervened, including representatives of the EU Parliament, the EU Commission, the European Data Protection Board (EDPB), several EU Member states (including Belgium), the U.S. government and the Electronic Privacy Information Center, as well as a number of industry lobby groups. A declaration of invalidity of the SCCs by the ECJ would indeed have a major impact on companies all over the world (including maybe in the UK after Brexit). In such case, companies would have to cease transfers of personal data to third countries, except (i) in case of an adequacy decision (Article 45 GDPR), (ii) if they enter into Binding Corporate Rules (Article 47 GDPR) or (iii) if they can rely upon one of the limited and narrowly formulated derogations (consent, necessity for the performance of a contract, necessity for important reasons of public interest, necessity for the protection of the vital interests of the data subject, etc.) (Article 49 GDPR).
It should be noted that, to date, only the (non-binding but yet authoritative) opinion of the Advocate-General has been published. The ECJ’s final decision will probably be rendered in the next months.
Lydian’s Information Governance and Data Protection (Privacy) team wishes you a joyous festive Holiday Season and a prosperous New Year.