The Advocate General of the European Court of Justice (“ECJ”) has recommended that the court uphold the validity of the controller-to-processor Standard Contractual Clauses in the case of Data Protection Commissioner v. Facebook Ireland Limited (commonly referred to as Schrems II).
Background and facts
The case concerns the Austrian privacy activist, Max Schrems, and the transfer of his personal data by Facebook from Ireland to the US. In an earlier decision involving Schrems and Facebook, the ECJ invalidated the EU-US “Safe Harbor” transfer mechanism (which then led to the EU-US “Privacy Shield” framework being implemented as a replacement for the Safe Harbor scheme).
At a very high level, Schrems’ complaint in the present case is that Facebook should not be allowed to rely upon the Standard Contractual Clauses to transfer his personal data to the US since these do not adequately protect his personal data once transferred due to the wide-reaching surveillance powers provided to US governmental organisations.
Although the case relates specifically to transfers by Facebook to the US, one potential outcome of the case was that the Standard Contractual Clauses would be invalidated. This would have broad implications for a large number of businesses which currently rely upon Standard Contractual Clauses as a convenient mechanism to transfer personal data outside of the European Economic Area.
Advocate General’s Opinion
Given the opinion of the Advocate General, which is not binding on the ECJ but which is followed in around 80% of cases, it seems unlikely that such an outcome will materialise.
The key points to note from the Advocate General’s opinion are as follows:
- The decision of the ECJ should not result in the Standard Contractual Clauses being invalidated. These are designed to provide protection to the transferred data through contractual means, irrespective of the law in the country of the data importer.
- It is for the controller (the data exporter) to assess on a case-by-case basis whether the Standard Contractual Clauses can be or are being implemented properly in practice (including by reference to the law of the country of the importing party). If not, the transfers must be prohibited or suspended by the controller.
- Where it appears that the Standard Contractual Clauses are not being complied with, supervisory authorities (such as (in the UK) the ICO) are required to take measures to remedy this, for example, by ordering suspension of the transfer.
- The ECJ should not rule on the validity of the EU-US Privacy Shield framework as part of its decision (although the Advocate General does discuss this at length in his opinion and casts doubt on its validity as a transfer mechanism).
It is to be expected that the EU Commission will issue updated controller-to-processor Standard Contractual Clauses in the not-too-distant future. The general consensus is that they are outdated and in need of a refresh to reflect the requirements of the GDPR.
The Advocate General’s opinion will come as welcome news to the numerous businesses which currently rely upon Standard Contractual Clauses. The opinion does highlight, however, that businesses should in practice be reviewing compliance with such clauses and not simply treating the implementation of the contracts as a tick-box exercise.
The above is of course subject to change based on the final decision of the ECJ in this case (expected early 2020). We will be keeping our eyes on this and will update you once we are in a position to do so.
Ben Nolan is a Solicitor Admitted in Scotland, in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org