Five years after prompting the decision that invalidated the Safe Harbor Framework, Max Schrems is back to challenge data transfer mechanisms again. At stake this time? Whether the Standard Contractual Clauses provide adequate protection for personal data transfers. The Court’s decision is expected July 16th.
Max Schrems is an Austrian lawyer and data privacy campaigner whose 2013 suit led to the invalidation of the Safe Harbor Framework. In his recent suit, Case C-311/18, known colloquially as “Schrems II”, the Court of Justice of the European Union (“CJEU”) must determine whether the Standard Contractual Clauses for Data Transfers Between Controllers established in the EU to Processors Established Outside the EU (“SCCs”) provide an adequate level of protection for personal data. Recently, the CJEU stated that they will deliver judgement on this case on July 16, 2020.
The EU General Data Protection Regulation (“GDPR”) sets out, among other things, when and how a transfer of personal data protected by the GDPR may take place. Specific requirements apply when the data is moving to countries outside of the EEA (i.e. a ‘restricted transfer’). Organizations can make a restricted transfer if that transfer is covered by one of three options – an adequacy decision by the European Commission (“Commission”), appropriate safeguards (one of which are the SCCs), or a derogation listed in the GDPR. The most frequently used mechanism for transfer are the SCCs1. If the SCCs are invalidated, organizations around the world that have relied on them to transfer personal data outside the EU/EEA will be forced to suspend data transfer operations until the organizations are able to comply with an alternative data transfer mechanism.
Summary of the AG’s Opinion on Schrems II
While we do not know for certain what the CJEU’s judgement will be, we have a good indication; the Advocate General’s (“AG”) opinion, found here. The AG is required to independently propose a legal solution to the CJEU for cases on which the CJEU will issue judgment. Although these solutions are advisory and non-binding for the CJEU, they are generally indicative of the direction the Court is likely to take in its judgment.
AG Henrik Saugmandsgaards’ analysis does not appear to contain any final conclusions that would invalidate the Commission’s previous decision on the adequacy of SCCs for the transfer of personal data to recipients in third countries (“SCC Commission Decision”). However, the AG did note some outstanding questions and key considerations relating to the validity and efficacy of the SCC’s statements regarding personal data protections within the U.S. national security context.
Article 46(1) of the GDPR provides that a transfer on the basis of appropriate safeguards can take place only ‘on condition that enforceable data subject rights and effective legal remedies for data subjects are available’. The AG’s opinion states that it will be necessary to ascertain whether the safeguards provided for in the SCCs, supplemented by the powers of data protection supervisory authorities, make it possible to ensure that this condition is met. Crucially, the AG’s opinion suggests that the SCCs as written contain an obligation to suspend or prohibit a transfer when the SCCs cannot be complied with due to a conflict with obligations imposed by the law of the country of destination. The opinion specifically noted the presence of this conflict relating to laws permitting interception or surveillance of information by security agencies or governmental authorities when such laws are not a “necessary and proportionate measure in a democratic society to safeguard specific important interests”2. This obligation is placed on the controllers and, where they fail to act, on the data protection supervisory authorities.
The AG’s concern relates to the practical difficulties of data protection authorities enacting this obligation. Data protection supervisory authorities are responsible for ensuring observance of data subjects’ fundamental rights in the context of specific transfers or data flows to a specific recipient. For example, the supervisory authorities may suspend or prohibit a data transfer to a third country where the protection of the data subject’s rights requires such suspension or prohibition. However, that action would not address the systemic problems relating to the absence of adequate safeguards in that third country. The supervisory authorities’ powers can be exercised only on a case-by-case basis, whereas the deficiencies in the third country’s law may be general and structural in nature. This presents the risk that different supervisory authorities will make diverging decisions on similar data transfers, resulting in a fragmented or inconsistent result in application. However, the AG emphasized that these practical difficulties do not invalidate the SCC Commission Decision.
Although the Irish Data Protection Commission – the lead regulator on this case – has welcomed the publication of the AG’s opinion, it has also pointed out that the AG’s opinion does not provide a solution for procedural complexities that arise when there is conflict or misalignment between the SCCs and the national laws of the recipient country. Further, the AG’s opinion leaves open the possibility that unaddressed questions, such as those very procedural complexities, may be raised and addressed at a later date. Essentially, even if the CJEU maintains the validity of the SCCs in this case, they may be challenged again in the future.
Effect of the AG’s Opinion on the Validity of the EU-US Privacy Shield
Although the AG has doubts regarding whether the EU-U.S. Privacy Shield Decision is consistent with certain provisions of the GDPR, the EU Charter of Fundamental Rights, and the European Convention on Human Rights, he has clearly stated that the subject matter of Schrems II is limited to the validity of the SCC Commission Decision. Therefore, there is no need to rule on the validity of the Privacy Shield decision at this time.
Once the CJEU has given its judgment on the Schrems II case, the General Court of the European Union will be hearing a case brought by three French NGOs – La Quadrature du Net, French Data Network, and Fédération FDN – who claim that the EU-U.S. Privacy Shield fails to uphold fundamental EU rights. VeraSafe is closely monitoring this case and we will issue a status update when there has been significant progress.
If the CJEU follows the AG’s opinion in full, the SCCs will remain a valid data transfer mechanism for the time being. The CJEU has announced that judgement on this case will be delivered on July 16, 2020.
VeraSafe’s legal experts have hands-on experience with analyzing an organization’s personal information processing practices and data flows, identifying compliance gaps and risks, and assisting clients in mitigating those risks, including risks related to international data transfers. Contact us today if you are concerned about the impact of Schrems II on your organization’s compliance status.
According to a survey conducted by the International Association for Privacy Professionals and EY, SCCs are by far the most common method used to transfer data outside of the EU. 88% of the surveyed companies indicated that they used SCCs to transmit data outside the EU. See IAPP-EY Annual Privacy Governance Report 2019, page 77.
Recital 19 GDPR.