Editor’s Note: On December 19, 2019, the European Court of Justice (ECJ) Advocate General, Henrik Saugmandsgaard ØE, provided his opinion on the validity of Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. The rendered opinion confirms that companies relying upon SCCs do not need to consider changing their approach at this time. Provided in this post is a compilation of informational extracts that may be helpful for those seeking to understand the content and context of this recent opinion regarding data transfer practices.
Press Announcement from the Court of Justice of the European Union
According to Advocate General Saugmandsgaard Øe, Commission Decision 2010/87/EU on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries is Valid
Full PDF Copy of the Court of Justice of the European Union Press Release No. 165/19cp190165en
An extract from an article by Laura Song of Alston & Bird
Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General
Opinion Background: Max Schrems first filed a complaint against Facebook’s data transfer practices with the Irish data protection authority (Data Protection Commission or DPC) in 2013 which led to the invalidation of the U.S.-EU Safe Harbor framework by the European Court of Justice (ECJ), the highest court of the EU, in October 2015. As a result, many companies that previously relied on Safe Harbor for data transfers adopted SCCs to transfer data to processors outside of the EU since the replacement for Safe Harbor, Privacy Shield, was not operational until August 2016.
In the wake of the Court’s decision, Mr. Schrems filed a new complaint with the DPC focused on Facebook’s transfer of personal data from the EU to the US-based on SCCs. In response, the DPC sought clarity through the courts not only on the validity of SCCs but also on Privacy Shield. The DPC filed a claim with the Irish High Court which subsequently referred the case to the ECJ along with 11 questions. On July 9, 2019, the ECJ heard oral arguments in the case (Schrems 2.0).
On December 19, 2019, the Court’s Advocate General Henrik Saugmandsgaard Øe provided his opinion for Schrems 2.0.
Introduction and Conclusion from Opinion from the European Court of Justice
Opinion of Advocate General Saugmandsgaard ØE Delivered on 19 December 2019 (Case C-311/18)
Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, interveners: The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance, Inc., Digitaleurope (request for a preliminary ruling from the High Court, Ireland).
In the absence of common personal data protection safeguards at global level, cross-border flows of such data entail a risk of a breach in continuity of the level of protection guaranteed in the European Union. Desirous of facilitating those flows while limiting that risk, the EU legislature has established three mechanisms whereby personal data may be transferred from the European Union to a third State.
In the first place, such a transfer may take place on the basis of a decision whereby the European Commission finds that the third State in question ensures an ‘adequate level of protection’ of the data transferred to it. In the second place, in the absence of such a decision, the transfer is authorized when it is accompanied by ‘appropriate safeguards’. Those safeguards may take the form of a contract between the exporter and the importer of the data containing standard protection clauses adopted by the Commission. The GDPR makes provision, in the third place, for certain derogations, based in particular on the consent of the data subject, that allow the data to be transferred to a third country even in the absence of an adequacy decision or appropriate safeguards.
The request for a preliminary ruling submitted by the High Court, Ireland (‘the High Court’) relates to the second of those mechanisms. It concerns, more specifically, the validity of Decision 2010/87/EU, whereby the Commission established standard contractual clauses for certain categories of transfers, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).
The request was submitted in proceedings brought by the Data Protection Commissioner, Ireland (‘the DPC’) against Facebook Ireland Ltd and Mr Maximillian Schrems in respect of a complaint lodged by Mr Schrems before the DPC concerning the transfer of personal data relating to him by Facebook Ireland to Facebook, Inc., its parent company, established in the United States of America (‘the United States’). The DPC takes the view that the assessment of that complaint is conditional on the validity of Decision 2010/87. In that regard, it requested that the referring court seek clarification from the Court of Justice on that point.
Let me state at the outset that examination of the questions for a preliminary ruling has in my view disclosed nothing to affect the validity of Decision 2010/87.
Furthermore, the referring court has highlighted certain doubts relating, in essence, to the adequacy of the level of protection guaranteed by the United States with regard to the interferences by the United States intelligence authorities with the exercise of the fundamental rights of the individuals whose data are transferred to the United States. Those doubts indirectly called into question the assessments made by the Commission in that respect in the Implementing Decision 2016/1250. (Although the resolution of the dispute in the main proceedings does not require the Court to settle that issue, and although I, therefore, suggest that it refrain from doing so, I shall set out, in the alternative, the reasons that lead me to question the validity of that decision.
My analysis as a whole will be guided by the desire to strike a balance between, on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’, and, on the other hand, the need to assert the fundamental values recognized in the legal orders of the Union and its Member States, and in particular in the Charter.
I propose that the Court answer the questions for a preliminary ruling referred by the High Court, Ireland, as follows:
Analysis of the questions for a preliminary ruling has disclosed nothing to affect the validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016.
News Commentary from the Data Protection Commission (DPC) Ireland
DPC Statement on AG Opinion on Case #C-311/18 CJEU
The DPC welcomes the publication of the AG’s opinion on case #C-311/18 CJEU. The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States. Equally, the opening section of the opinion recognizes the significant tensions that arise between, on the one hand, the need to show pragmatism, and on the other, “the need to assert the fundamental values recognized in the legal orders of the Union and its member states, and in particular, the Charter.”
Some of the points of complexity engaged here go to matters of substance. To take just three examples: does EU law apply at all when data subject’s personal data is processed by public authorities in a third country (the AG believes it does); do US laws and practices facilitate interferences with the data protection rights of individuals that are incompatible with EU law (they do, in the view of the AG); and are those problems cured by Privacy Shield (no, in the opinion of the AG).
Separately, the opinion likewise notes that, in individual cases, the standard contractual clauses likewise may not provide an answer to the problems that arise when data transfers bring EU citizens’ data within the remit of US public authorities. At this point, procedural complexities also come into view. Specifically, who should intervene when, in the context of an individual transfer, the level of protection demanded by EU law cannot be maintained? Here, whilst acknowledging its imperfections, and the practical difficulties it presents, and notwithstanding the risk of fragmentation amongst supervisory authorities within the member states, the AG concludes that the approach settled upon by the EU in the context of the SCCs strikes an appropriate balance between pragmatism and principle. That approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the AG, with national supervisory authorities where a controller fails to discharge its obligations.
Whilst noting that these issues are yet to be determined by the Court, the DPC welcomes the clarity of the analysis contained in the AG’s opinion.
Image: Courtesy of the Court of Justice of the European Union