What has happened?
Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.
The AG also expressed concerns over the EU/ US Privacy Shield and if the Court of Justice of the European Union (“CJEU”) follows this opinion, that would result in substantial additional burdens before using SCCs – data exports to certain states could de facto be excluded, if the security laws in the jurisdiction of the data importer would lead to a breach of the SCCs. It could also have ramifications for the UK after Brexit.
Does this mean we don’t have to worry about the SCCs being invalidated?
No, not just yet.
The AG’s opinion is not binding. It may give an indication of where the CJEU might end up when it gives its final judgement which is expected in the first quarter of 2020. But, for the time-being, data flows can continue as usual.
However, interestingly, the “Prep-Document” published by Max Schrems’ organisation (“None Of Your Business”) in advance of yesterday’s opinion, suggested that a divergence in opinion between the AG and the final judgement was “very likely”. Max Schrems was quoted as saying: “During the court hearing the Advocate General asked questions in a very different direction than the Judges. The judges seemed to be much more critical of US law and the assessment by the European Commission than the Advocate General. I therefore expect that the final judgement may provide stricter privacy protections than the opinion on Thursday”.
So the future for the SCCs does remain uncertain.
This opinion serves as a reminder to pay more attention to the precise terms of the SCCs which organisations so readily agree to, but often with very little thought.
One of the reasons that the AG was satisfied with the SCCs as a transfer mechanism was because the SCCs contain “sufficiently sound mechanisms” to address situations where transferring personal data in accordance with the terms of the SCCs becomes impossible because of national security laws in the jurisdiction of the data importer. The SCCs state that where there is a conflict of this nature then the importer must inform the exporter and the exporter is entitled to suspend the transfer and / or terminate the SCCs.
In practice, this provision of the SCCs is often overlooked. Until today, this obligation of the data importer has in effect never been complied with. However, the AG’s opinion shines a light on these provisions and could require a much stricter application – meaning that the SCCs may not be able to be used for data transfers to critical countries in respect of certain data sets.
If the CJEU follows the AG’s opinion, to use the SCCs confidently, organisations (as parties to the SCCs) will need to review and examine each transfer made pursuant to the SCCs in detail. The AG said that such an examination would entail considerations of: “all of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanism employed by the exporter and/or the importer to ensure its security, the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country”. This is not an easy task! If organisations start taking their SCC obligations seriously, it has the potential to cause serious frictions between importers and exporters, raising a plethora of questions about where responsibilities and liabilities start and end. The AG’s opinion can be read such that organisations have to analyse all aspects of the legal regime applicable to their data in the data importer’s jurisdiction in detail which, in a worst case scenario, could apply to each type of transfer made.
The AG, therefore, suggests moving the responsibility for using the SCCs to the individual company exporting data. An export to jurisdictions with extensive national security surveillance regimes would be a substantial risk. In effect, the AG suggests to refrain from such transfers because the SCCs could not be complied with in any case.
Should we be worried about the future of Privacy Shield?
Perhaps a little.
In his opinion, the AG’s doubts were essentially about whether:
1. the safeguards around US surveillance measures are equivalent to those under GDPR, read in light of articles 7 and 8 of the Charter; and
2. the role of the Privacy Ombudsperson can compensate for insufficiencies of the judicial protection afforded to individuals whose data is transferred to the United States.
But we will have to wait for the final judgement. If it follows the AG’s opinion then it could influence the case of La Quadrature du Net v Commission. In this case, French advocacy group, La Quadrature du Net is seeking to invalidate the Privacy Shield Decision on the basis that it fails to uphold fundamental EU rights on account of US government mass surveillance practices. This case was meant to be heard by the General Court in July but was postponed to await the judgement of Schrems II.
If the CJEU agrees with the AG, can the decision be challenged?
No, the CJEU is the highest court in the EU and therefore the ruling is not subject to further appeal.
How did this case come about?
This case arose following a complaint made by the privacy activist, Max Schrems, to the Irish Data Protection Commissioner (“DPC”) in December 2015. Mr Schrems alleged that the transfer of his personal data from Facebook Ireland to its parent company in the US, made on the basis of SCCs, did not protect his fundamental rights under EU law given the ability of the US to carry out mass surveillance on EU citizens’ personal data without adequate judicial remedies. He argued that the DPC should suspend those particular transfers, not the SCCs generally. However, the DPC’s view was that the SCCs were part of a systematic problem and should be invalidated generally. The DPC brought proceedings before the High Court requesting it to refer questions to the CJEU.
This case is a continuation of Mr Schrems’ earlier complaint against Facebook which invalidated the Privacy Shield’s predecessor, Safe Harbor, in 2015 (known as Schrems I). Similar issues were raised in that case and although the US has taken steps to demonstrate the adequacy of the redress available to EU citizens (e.g. the appointment of a US Privacy Ombudsman), this opinion suggests that these steps are not sufficient.
What should data controllers do whilst waiting for the final judgement and the outcome of La Quadrature du Net v Commission?
Whilst it is too early to decide on a conclusive course of action, there are things that organisations can do in anticipation of more clarity of how the data transfer landscape will look going forwards:
1. Brief senior management on the situation – additional resources may be required.
2. Get out your article 30 register of processing activities and identify where you are relying on SCCs and the Privacy Shield, for both internal and external data transfers. This should help you understand the extent of the work ahead if the judgements invalidate either or both of the transfer mechanisms.
3. Check the data transfer provisions of contracts with third party vendors. After Schrems I, some farsighted vendors anticipated that commonly used transfer mechanisms could be precarious, appreciating that in the long term other solutions like BCRs or certifications would be a better bet. Therefore, some contracts provide that if the vendor has adopted BCRs or similar then the SCCs or Privacy Shield do not apply in any event. So, some transfers may actually be safer than originally thought.
Vendors not in this category will usually have made contractual commitments to find alternative data transfer solutions in the event that their current model was deemed to be invalid.
4. Find out if it’s possible to reconfigure global access / admin rights
If SCCs / the Privacy Shield are invalidated or, as explained above, if organisations are required to make detailed assessments of the national security laws in third countries, it could become pretty difficult to transfer data to countries that have very permissive national security laws. Therefore, storing data locally may become an appealing option. Consider reviewing, and where possible amending, internal access rights as this may provide a practical work-around. For example, if your global administrator for your CRM is in the US, it may be worth seeing if it possible to limit their access and appointing an alternative person within the EEA.