Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General

Alston & Bird
Contact

The Advocate General’s Opinion of December 19, 2019 deemed valid the Standard Contractual Clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. Currently, many companies rely on SCCs as a mechanism for transferring personal data from the EU to non-EU countries in compliance with the GDPR. The opinion therefore confirms that companies relying on SCCs do not need to consider changing their practices.

Background
Max Schrems first filed a complaint against Facebook’s data transfer practices with the Irish data protection authority (Data Protection Commission or DPC) in 2013 which led to the invalidation of the U.S.-EU Safe Harbor framework by the European Court of Justice (ECJ), the highest court of the EU, in October 2015. As a result, many companies that previously relied on Safe Harbor for data transfers adopted SCCs to transfer data to processors outside of the EU since the replacement for Safe Harbor, Privacy Shield, was not operational until August 2016.

In the wake of the Court’s decision, Mr. Schrems filed a new complaint with the DPC focused on Facebook’s transfer of personal data from the EU to the US based on SCCs. In response, the DPC sought clarity through the courts not only on the validity of SCCs but also on Privacy Shield. The DPC filed a claim with the Irish High Court which subsequently referred the case to the ECJ along with 11 questions. On July 9, 2019, the ECJ heard oral arguments in the case (Schrems 2.0).

Advocate General’s Opinion
On December 19, 2019, the Court’s Advocate General Henrik Saugmandsgaard Øe provided his opinion for Schrems 2.0. Although not legally binding, the opinion of the Advocate General is highly influential. Below are three key takeaways from the opinion:

  • The ECJ should focus its decision on the subject matter at issue to allow the Irish High Court to resolve the dispute in the main proceedings (i.e. address the validity of SCCs and ignore questions regarding Privacy Shield).
  • The safeguards and level of data protection provided in the country in which data is transferred is not relevant to the validity of SCCs. SCCs are a valid data transfer mechanism because they provide the appropriate safeguards for data transfers from the EU through the soundness of the safeguards provided by the clauses.
  • Where there is a conflict between the provisions of the SCCs and the law of the country where the data is being transferred to, the controller (data exporter) must suspend or prohibit affected data transfers where the provisions of the SCCs cannot be complied with. This is because any failure to implement the SCCs by the processor (data importer) means that the controller cannot warrant an adequate level of protection in accordance with the SCCs. Where a controller fails to suspect or prohibit transfers, the competent data protection authority must ensure that the transfers are suspended or prohibited. This should be determined on a case-by-case basis for each specific transfer by the controller.

What’s Next
Typically, the ECJ will issue a judgment three to six months after the Advocate General’s opinion which means the Court could make a determination by the first half of 2020. Then, the Irish High Court will need to proceed with the case in accordance with the Court’s decision. If the ECJ follows the opinion of the Advocate General, the DPC will ultimately be back in the same position as it was in 2016 where it will need to make a decision regarding Mr. Schrems’s complaint.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.