Schrems 2.0: European Court of Justice Advocate General Renders Opinion

On December 19, 2019, the European Court of Justice (ECJ) Advocate General, Henrik Saugmandsgaard ØE, provided his opinion on the validity of Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. The rendered opinion confirms that companies relying upon SCCs do not need to consider changing their approach at this time.

en flag
nl flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: On December 19, 2019, the European Court of Justice (ECJ) Advocate General, Henrik Saugmandsgaard ØE, provided his opinion on the validity of Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. The rendered opinion confirms that companies relying upon SCCs do not need to consider changing their approach at this time. Provided in this post is a compilation of informational extracts that may be helpful for those seeking to understand the content and context of this recent opinion regarding data transfer practices.


Press Announcement from the Court of Justice of the European Union

According to Advocate General Saugmandsgaard Øe, Commission Decision 2010/87/EU on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries is Valid

Full PDF Copy of the Court of Justice of the European Union Press Release No. 165/19

cp190165en

Read the complete release of the ECJ Opinion


An extract from an article by Laura Song of Alston & Bird

Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General

Opinion Background: Max Schrems first filed a complaint against Facebook’s data transfer practices with the Irish data protection authority (Data Protection Commission or DPC) in 2013 which led to the invalidation of the U.S.-EU Safe Harbor framework by the European Court of Justice (ECJ), the highest court of the EU, in October 2015. As a result, many companies that previously relied on Safe Harbor for data transfers adopted SCCs to transfer data to processors outside of the EU since the replacement for Safe Harbor, Privacy Shield, was not operational until August 2016.

In the wake of the Court’s decision, Mr. Schrems filed a new complaint with the DPC focused on Facebook’s transfer of personal data from the EU to the US-based on SCCs. In response, the DPC sought clarity through the courts not only on the validity of SCCs but also on Privacy Shield. The DPC filed a claim with the Irish High Court which subsequently referred the case to the ECJ along with 11 questions. On July 9, 2019, the ECJ heard oral arguments in the case (Schrems 2.0).

On December 19, 2019, the Court’s Advocate General Henrik Saugmandsgaard Øe provided his opinion for Schrems 2.0.

Read the complete article at Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General


Introduction and Conclusion from Opinion from the European Court of Justice

Opinion of Advocate General Saugmandsgaard ØE Delivered on 19 December 2019 (Case C-311/18)

Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, interveners: The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance, Inc., Digitaleurope (request for a preliminary ruling from the High Court, Ireland).

Introduction

In the absence of common personal data protection safeguards at global level, cross-border flows of such data entail a risk of a breach in continuity of the level of protection guaranteed in the European Union. Desirous of facilitating those flows while limiting that risk, the EU legislature has established three mechanisms whereby personal data may be transferred from the European Union to a third State.

In the first place, such a transfer may take place on the basis of a decision whereby the European Commission finds that the third State in question ensures an ‘adequate level of protection’ of the data transferred to it. In the second place, in the absence of such a decision, the transfer is authorized when it is accompanied by ‘appropriate safeguards’. Those safeguards may take the form of a contract between the exporter and the importer of the data containing standard protection clauses adopted by the Commission. The GDPR makes provision, in the third place, for certain derogations, based in particular on the consent of the data subject, that allow the data to be transferred to a third country even in the absence of an adequacy decision or appropriate safeguards.

The request for a preliminary ruling submitted by the High Court, Ireland (‘the High Court’) relates to the second of those mechanisms. It concerns, more specifically, the validity of Decision 2010/87/EU, whereby the Commission established standard contractual clauses for certain categories of transfers, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

The request was submitted in proceedings brought by the Data Protection Commissioner, Ireland (‘the DPC’) against Facebook Ireland Ltd and Mr Maximillian Schrems in respect of a complaint lodged by Mr Schrems before the DPC concerning the transfer of personal data relating to him by Facebook Ireland to Facebook, Inc., its parent company, established in the United States of America (‘the United States’). The DPC takes the view that the assessment of that complaint is conditional on the validity of Decision 2010/87. In that regard, it requested that the referring court seek clarification from the Court of Justice on that point.

Let me state at the outset that examination of the questions for a preliminary ruling has in my view disclosed nothing to affect the validity of Decision 2010/87.

Furthermore, the referring court has highlighted certain doubts relating, in essence, to the adequacy of the level of protection guaranteed by the United States with regard to the interferences by the United States intelligence authorities with the exercise of the fundamental rights of the individuals whose data are transferred to the United States. Those doubts indirectly called into question the assessments made by the Commission in that respect in the Implementing Decision 2016/1250. (Although the resolution of the dispute in the main proceedings does not require the Court to settle that issue, and although I, therefore, suggest that it refrain from doing so, I shall set out, in the alternative, the reasons that lead me to question the validity of that decision.

My analysis as a whole will be guided by the desire to strike a balance between, on the one hand, the need to show a ‘reasonable degree of pragmatism in order to allow interaction with other parts of the world’, and, on the other hand, the need to assert the fundamental values recognized in the legal orders of the Union and its Member States, and in particular in the Charter.

Conclusion

I propose that the Court answer the questions for a preliminary ruling referred by the High Court, Ireland, as follows:

Analysis of the questions for a preliminary ruling has disclosed nothing to affect the validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016.

Read the complete opinion at Opinion of Advocate General Saugmandsgaard ØE Delivered on 19 December 2019 (Case C-311/18)


News Commentary from the Data Protection Commission (DPC) Ireland

DPC Statement on AG Opinion on Case #C-311/18 CJEU

The DPC welcomes the publication of the AG’s opinion on case #C-311/18 CJEU. The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States. Equally, the opening section of the opinion recognizes the significant tensions that arise between, on the one hand, the need to show pragmatism, and on the other, “the need to assert the fundamental values recognized in the legal orders of the Union and its member states, and in particular, the Charter.”

Some of the points of complexity engaged here go to matters of substance. To take just three examples: does EU law apply at all when data subject’s personal data is processed by public authorities in a third country (the AG believes it does); do US laws and practices facilitate interferences with the data protection rights of individuals that are incompatible with EU law (they do, in the view of the AG); and are those problems cured by Privacy Shield (no, in the opinion of the AG).

Separately, the opinion likewise notes that, in individual cases, the standard contractual clauses likewise may not provide an answer to the problems that arise when data transfers bring EU citizens’ data within the remit of US public authorities. At this point, procedural complexities also come into view. Specifically, who should intervene when, in the context of an individual transfer, the level of protection demanded by EU law cannot be maintained? Here, whilst acknowledging its imperfections, and the practical difficulties it presents, and notwithstanding the risk of fragmentation amongst supervisory authorities within the member states, the AG concludes that the approach settled upon by the EU in the context of the SCCs strikes an appropriate balance between pragmatism and principle. That approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the AG, with national supervisory authorities where a controller fails to discharge its obligations.

Whilst noting that these issues are yet to be determined by the Court, the DPC welcomes the clarity of the analysis contained in the AG’s opinion.

Read the original news announcement at DPC statement on AG opinion on case # C-311/18 CJEU


Additional Reading

Source: ComplexDiscovery

Image: Courtesy of the Court of Justice of the European Union

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

The results of the recent Summer 2020 eDiscovery Business Confidence Survey present the unfortunate and continuing impact of COVID-19 on the business of eDiscovery. However, for these pandemic-driven results to be fully understood, they should be viewed through the contextual lens of the results of all nineteen surveys that have been administered to eDiscovery professionals since the inception of the eDiscovery Business Confidence Survey in early 2016.



Check Out the Observations Now!

Interested in Contributing?

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

An eDiscovery Holiday Season Down Under? Macquarie Prepares Nuix for IPO

According to John Beveridge, writing for Small Caps, Macquarie holds a...

Collaborative Cyber Defense: The U.S. Army and Estonia Sign Historic Agreement

“Estonia is a cyber country of excellence with a robust cyber...

Festive or Restive? The Fall 2020 eDiscovery Business Confidence Survey

Since January 2016, 2,189 individual responses to nineteen quarterly eDiscovery Business...

Blue-Sueded? Considerations for Decision Making

While an understanding of decisions from definitions and elements to cornerstones...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Festive or Restive? The Fall 2020 eDiscovery Business Confidence Survey

Since January 2016, 2,189 individual responses to nineteen quarterly eDiscovery Business...

Casting a Wider Net? Predictive Coding Technologies and Protocols Survey – Fall 2020 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

Based on the aggregate results of nineteen past eDiscovery Business Confidence...

A Growing Concern? Budgetary Constraints and the Business of eDiscovery

In the summer of 2020, 56% of respondents viewed budgetary constraints...

An eDiscovery Holiday Season Down Under? Macquarie Prepares Nuix for IPO

According to John Beveridge, writing for Small Caps, Macquarie holds a...

ayfie to Acquire Haive

According to Johannes Stiehler, CEO of ayfie Group AS, “This acquisition...

Innovative Discovery and Integro Merge

“Integro and Innovative Discovery’s services and solutions are highly complementary. Our...

Software Growth Partners Makes Majority Investment in Venio Systems

According to the press announcement, industry analysts have enthusiastically supported this...

Five Great Reads on eDiscovery for August 2020

From predictive coding and artificial intelligence to antitrust investigations and malware,...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...

Five Great Reads on eDiscovery for June 2020

From collection market size updates to cloud outsourcing guidelines, the June...

Five Great Reads on eDiscovery for May 2020

From review market sizing revisions to pandemeconomic pricing, the May 2020...