The Advocate General (AG) recently confirmed before the European Court of Justice (CJEU) that Standard Contractual Clauses (SCC), in the context of Schrems II, remain valid for the transfer of personal data to processors established in third countries. Businesses across the globe welcome this opinion; however, what are the practical implications for firms exporting data outside the European Union (EU) if the CJEU upholds the AG’s opinion in the upcoming judgment?
Update, 16 July 2020: In a landmark decision, the CJEU ruled that SCCs remain valid. However, important guidelines must be observed when transferring personal data from the EU to the U.S. or other third countries.
Schrems II
The case concerns Max Schrems, an Austrian privacy advocate, who filed a complaint with the Irish Data Protection Commissioner in 2015, challenging Facebook Ireland’s reliance on EU SCC as a legal basis for transferring personal data to Facebook Inc. in the United States (U.S.). Facebook turned to SCCs as a legal basis, after Schrems I invalidated the Safe Harbor framework. One of the main arguments brought forward by Schrems was that once personal data is transferred to the US, SCC do not ensure an adequate level of protection for EU data subjects and consequently do not provide a sound legal basis. The CJEU’s assessment of SCCs’ legality will determine not only the future of Facebook’s businesses activities but of all businesses relying on these clauses in transferring personal data outside the EU.
The AG’s opinion on SCC
The AG examined several issues, including the scope of EU data transfer rules, the standard of protection that SCCs must meet under EU law, the validity of SCCs in light of the level of data protection provided in the third country, etc.
Concerning the validity of SCCs and practical implications for businesses relying on these clauses, the AG made some far-reaching assessments:
- SCCs are valid, and they provide a general mechanism applicable to transfers of personal data irrespective of the third country destination. The appropriated safeguards afforded by contractual means guarantee the appropriate level of protection, not the laws and practices of the third country.
- SCCs compensate for the lack of protection afforded by the third country of destination. Therefore, whether SCCs adequately compensate for protection deficiencies cannot depend on the level of protection guaranteed in the third country.
- Whether or not SCCs are compatible with the EU Charter of Fundamental Rights depends on the efficiency of mechanisms in place to ensure that transfers based on SCCs are prohibited where the clauses would be impossible to recognise.
Although the AG’s opinion is not legally binding, it is expected to have wide-reaching implications to the extent that the CJEU usually follow AG’s views. If the CJEU does so in its final judgement, which is due in 2020, SCCs will remain a valid mechanism for transferring personal data from the EU to third countries.
Data exporter’s responsibility and the principle of accountability
Businesses or organisations transferring data outside the EU are subject to obligations and liabilities. Thus, companies exporting personal data outside the EU cannot merely rely on signing an agreement based on SCCs. Data transfers must always be in conjunction and according to the principles envisaged in the General Data Protection Regulation (GDPR), in particular the principle of accountability. For that reason, businesses controlling the data must choose a reliable counterparty.
Notably, data controllers are asked to perform checks of the processors and ensure data protection compliance. A company that relies on SCCs to transfer personal data outside the EU should ensure that it performs and documents periodic checks as well as methods of risk assessment to warrant and prove it has control over the transfers. Without specific instructions in place, a data exporter should always consider its responsibility to comply with the provision and principles of the GDPR.
Outlook for businesses
The GDPR provides limited means for companies to transfer personal data outside the EU, subject to strict prerequisites. For that reason, if the CJEU does not follow the AG’s opinion, rigid boundaries would emerge, forcing businesses to seek alternative means to transfer data outside the EU, or companies would stop such activities altogether.
For that reason, the AG’s opinion is mostly welcomed by businesses relying on SCCs for legitimising transfers of personal data outside the EU, provided that the CJEU follows the AG’s approach to the questions. Nonetheless, the AG stated:
“A supervisory authority must examine with all due diligence the complaint lodged by a person whose data are alleged to be transferred to a third country in breach of the standard contractual clauses applicable to the transfer,” and, “where appropriate it must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means”.
Therefore, businesses are urged to ensure that SCCs are complied with in practice and undertake appropriate checks of the counterparty to the extent appropriate. Otherwise, they may risk transfers being suspended by the supervisory authorities altogether.
