Global menu

Our global pages

Close

Update: Advocate General advises that the validity of standard contractual clauses is not affected by complaints made in Schrems II

  • United Kingdom
  • Privacy, data protection and cybersecurity

19-12-2019

What do I need to know?

On Thursday 19 December, Advocate General Saugmandsgaard Øe published his Opinion in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (widely referred to as “Schrems II”). The Opinion is not binding, however it provides us with a strong indication as to what the Court of Justice of the European Union’s (“CJEU”) judgment will be.

The key takeaways from the Opinion are as follows – the AG advises that:

  • the validity of European Commission Decision 2010/87/EU regarding the standard contractual clauses adopted by the European Commission (“SCCs”) should not be affected by the questions referred to the CJEU by the Irish High Court, and that the SCCs provide a valid mechanism to facilitate international transfers of personal data.
  • where SCCs are relied upon to legitimise transfers of personal data to a third country, the onus is on controllers and supervisory authorities to suspend or prohibit transfers when the SCCs cannot be complied with by the data importer in a third country due to obligations imposed by the law of that country.
  • the CJEU should refrain from ruling on the impact of Privacy Shield on the complaint raised by Schrems in the case and the validity of the Privacy Shield decision. However, the AG does set out a number of observations from paragraphs 188-342 including reasons that lead him to question the validity of the Privacy Shield decision. 

The CJEU may of course take a different view – its judgment is expected to be issued in January 2020. In the meantime, organisations should be able to take some comfort over the festive period in the knowledge that the SCCs remain a valid mechanism for transfers of personal data outside of the European Economic Area (“EEA”).

What is the legal background?

The General Data Protection Regulation EU 2016/679 (“GDPR”) provides that transfers of personal data to a third country (i.e. any country outside the EEA) may only take place if the conditions set out in Chapter V of the GDPR are complied with. The chapter sets out the various “appropriate safeguards” that can be relied upon in order to legitimise data transfers. One such safeguard is the SCCs which are widely used by organisations across the EU to facilitate the many international transfers of personal data in the day to day business operations of the global economy.

What is Schrems II all about?

In Schrems II, the CJEU has been asked to consider whether the European Commission Decision 2010/87/EU – in which the Commission established the SCCs which are relied on to facilitate the transfers which Schrems has complained about – is valid.

Schrems has complained to the Irish Data Protection Commissioner (“DPC”) about certain transfers of his personal data from the EEA to the US on the basis of the SCCs, emphasising that the SCCs cannot be enforced effectively in light of revelations regarding the level of US national security agencies’ access to the relevant personal data.

The DPC decided to seek declaratory relief – considering that the matter was dependant on the validity of Decision 2010/87/EU and a matter for the courts – so brought proceedings in the Irish High Court, and requested that a referral to the CJEU be made. This decision was met by criticism and confusion from some who considered the DPC as already having the power to decide whether the transfers are GDPR compliant – including the chair of the European Data Protection Board, who reportedly remarked that “It is to the supervisor authority to assess, based on a complaint, whether data are protected under standard contractual clauses . If not, they may suspend transfers”.

The Irish High Court referred a number of questions to the CJEU for a preliminary ruling. The case was heard by the CJEU on 9 July 2019 and the CJEU’s full judgment is anticipated to be published in January.

What’s this got to do with Privacy Shield?

The Schrems II case follows 2015’s Case C-362/14 Maximillian Schrems v Data Protection Commissioner in which the Safe Harbour framework (another mechanism used by organisations to legitimise transfers of personal data from the EEA to the US, and precursor of the Privacy Shield) was declared invalid.

In addition, and somewhat confusingly, an entirely separate case also relating to international data transfers but this time the Privacy Shield, is simultaneously making its way through the European courts. In Case T-738/16 La Quadrature du Net v Commission, La Quadrature du Net (a French non-profit association that defends the rights and freedom of citizens on the Internet) has brought an action for the decision governing the EU-US Privacy Shield framework to be annulled. The General Court of the CJEU was due to hear the case on 1-2 July this year. However, the court vacated the hearing to await the judgment in Schrems II.

The detailed observations of the AG in relation to the Privacy Shield in his Opinion in Schrems II (see pages 55-95) may influence the General Court’s decision in that case.

Useful links

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings