The Advocate General of the Court of Justice of the European Union has rendered his opinion on the use of Standard Contractual Clauses adopted by the European Commission. The opinion proposes to uphold the validity of such clauses as the legal basis for transfer of personal data to third countries, even though the receiving country has not been subject to an adequacy decision by the European Commission.
On 19 December 2019, the Advocate General of the Court of Justice of the European Union (CJEU) delivered his opinion in case C-311/18 (the so-called ‘Schrems II-case’). The case concerns the validity of the Standard Contractual Clauses (‘SCCs’), which were adopted by the Commission in Decision 2010/87. The Advocate General proposes to uphold the validity of SCCs as a legal basis for transferring personal data to countries that have not been found to have an adequate level of data protection. The opinion clarifies that the validity of the SCCs does not depend on an adequacy decision of the third country, and that the SCCs guarantee an high level of protection through the appropriate safeguards afforded by the parties. The compatibility of the SCCs with the EU Charter of fundamental rights is dependent on the availability of mechanisms to suspend or prohibit data transfers in case that the SCCs are breached or impossible to honour.
The dispute has its origin in case C-362/14 (also known as the ‘Schrems-case’) where the CJEU ruled that the Safe Harbour framework (a mechanism that many companies were relying on to legitimize data flows from the EU to the U.S) was invalid. The Safe Harbour was subsequently replaced by the Privacy Shield framework. Following the findings in the initial Schrems-case an additional complaint was reformulated and brought to the Irish Data Protection Commissioner (the Irish DPA) adressing the validity of the SCCs and the Privacy Shield framework. The Irish DPA brought proceedings before the Irish High Court, which referred 11 questions to the CJEU for a preliminary ruling (the Schrems II-case).
The questions referred to CJEU, in which the Advocate General has proposed his legal solution, included questions on: (1) what level of protection is required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses, and (2) whether the fact that the SCCs does not bind national authorities in the third country preclude the clauses from securing adequate safeguards.
The key items of the Advocate General’s opinion are:
The validity of SCCs is not dependent on an adequacy decision pertaining to the receiving country:
The Advocate General finds that the provisions on transfer of personal data to third countries found in the General Data Protection Regulation 2016/679 (GDPR) Chapter V, aims to ensure a high level protection of personal data irrespective of the legal basis. However, it is the Advocate General’s opinion that the way the protection is achieved differs according to the legal basis.
The Advocate General states that an adequacy decision aims to determine whether the receiving country, based on the law and practices in the receiving country, ensures an essentially equivalent level of protection as the protection provided by GDPR read in the light of the EU Charter of fundamental rights.
The Advocate General notes that GDPR art. 46 (1), allows personal data to be transferred to inadequate third countries, but only if appropriate safeguards are provided otherwise, for instance by adopting SCCs. The level of protection guaranteed by the SCCs, is according to the Advocate General achieved through appropriate safeguards afforded by the data controller, and that the SCCs itself guarantees a sufficient level of protection irrespective of the level of protection in the receiving country.
It is the opinion of the Advocate General that the use of SCCs should remain valid as a legal basis for the transfer of personal data from the EU to third countries, as the SCCs ensure a general mechanism applicable to transfers that allows parties to establish the necessary safeguards.
SCCs are compatible with the EU Charter of fundamental rights even though they are not binding on the authorities in the receiving country:
The Advocate General notes that the fact that the SCCs are not binding on the authorities of the third country does not in itself render the SCCs invalid.
The Advocate General states that the compatibility of SCCs and the EU Charter of fundamental rights depends on whether there are sufficiently sound mechanisms to ensure that transfers based on SCCs are suspended or prohibited when the clauses are breached or impossible to honour.
According to the Advocate General such mechanisms are present when the SCCs obligate the data controller, and if the data controller fails to respond the national supervisory authorities, to suspend or prohibit a transfer when an SCC cannot be complied with, for instance because of a conflict between the SCCs and the obligations of the law of the receiving country.
The question of the validity of Privacy Shield is not relevant to the Schrems II- case:
The Advocate General found that the Irish High Court indirectly had called the lawfulness of the EU-U.S. Privacy Shield framework into question. The Advocate General emphasises that the subject matter of the proceedings relates to the validity of the SCCs and advises the CJEU to refrain from ruling on the validity of the Privacy Shield framework.
However, the Advocate General notes that if the CJEU were to rule on the subject, there are reasons to question whether the framework guarantees an adequate level of data protection in the light of the right to respect for private life and to an effective judicial remedy.
If the CJEU rules that Decision 2010/87 is valid as suggested by the Advocate General’s opinion, data controllers may continue to rely on the SCCs to transfer personal data from the EU to third countries. Hence, the opinion does not suggest to change the current rules on SCCs.
However, even if the Court renders Decision 2010/87 valid data controllers, using SCCs as legal basis for transfers, shall address privacy concerns regarding the SCCs, including actively ensuring that the SCCs are complied with, respectively whether a clause has been breached or if there is anything obstructing the possiblity to honour the SCCs.
The CJEU’s ruling is expected in the first half of 2020. Whether or not the CJEU will examine the Privacy Shield framework is uncertain. However, if the Privacy Shield framework is assessed considering the Advocate General’s opinion the Court may find the framework invalid.
Read the Advocate General’s opinion here (in English).