The Advocate General’s Opinion of December 19, 2019 deemed valid the Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. Currently, many companies rely on SCCs as a mechanism for transferring personal data from the EU to non-EU countries in compliance with the GDPR. The opinion therefore confirms that companies relying on SCCs do not need to consider changing their practices.
Background
Max Schrems first filed a complaint against Facebook’s data transfer practices with the Irish data protection authority (Data Protection Commission or DPC) in 2013 which led to the invalidation of the U.S.-EU Safe Harbor framework by the European Court of Justice (ECJ), the highest court of the EU, in October 2015. As a result, many companies that previously relied on Safe Harbor for data transfers adopted SCCs to transfer data to processors outside of the EU since the replacement for Safe Harbor, Privacy Shield, was not operational until August 2016.
In the wake of the Court’s decision, Mr. Schrems filed a new complaint with the DPC focused on Facebook’s transfer of personal data from the EU to the US based on SCCs. In response, the DPC sought clarity through the courts not only on the validity of SCCs but also on Privacy Shield. The DPC filed a claim with the Irish High Court which subsequently referred the case to the ECJ along with 11 questions. On July 9, 2019, the ECJ heard oral arguments in the case (Schrems 2.0).
Advocate General’s Opinion
On December 19, 2019, the Court’s Advocate General Henrik Saugmandsgaard Øe provided his opinion for Schrems 2.0. Although not legally binding, the opinion of the Advocate General is highly influential. Below are three key takeaways from the opinion:
- The ECJ should focus its decision on the subject matter at issue to allow the Irish High Court to resolve the dispute in the main proceedings (i.e. address the validity of SCCs and ignore questions regarding Privacy Shield).
- The safeguards and level of data protection provided in the country in which data is transferred is not relevant to the validity of SCCs. SCCs are a valid data transfer mechanism because they provide the appropriate safeguards for data transfers from the EU through the soundness of the safeguards provided by the clauses.
- Where there is a conflict between the provisions of the SCCs and the law of the country where the data is being transferred to, the controller (data exporter) must suspend or prohibit affected data transfers where the provisions of the SCCs cannot be complied with. This is because any failure to implement the SCCs by the processor (data importer) means that the controller cannot warrant an adequate level of protection in accordance with the SCCs. Where a controller fails to suspect or prohibit transfers, the competent data protection authority must ensure that the transfers are suspended or prohibited. This should be determined on a case-by-case basis for each specific transfer by the controller.
What’s Next
Typically, the ECJ will issue a judgment three to six months after the Advocate General’s opinion which means the Court could make a determination by the first half of 2020. Then, the Irish High Court will need to proceed with the case in accordance with the Court’s decision. If the ECJ follows the opinion of the Advocate General, the DPC will ultimately be back in the same position as it was in 2016 where it will need to make a decision regarding Mr. Schrems’s complaint.