The Advocate General of the CJEU Proposes to Uphold the Validity of the Standard Contractual Clauses but Questions the Validity of the E.U.-US Privacy Shield

In a non-binding recommendation, the Advocate General of the Court of Justice of the European Union (CJEU) recommended that Court uphold the validity of the Standard Contractual Clauses but questioned the validity of the E.U.-US Privacy Shield.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred outside of the European Economic Area only if the transferee country ensures an adequate level of protection of the data.  In the absence of the adequacy decision by the European Commission, data can only be transferred on the basis of one of several prescribed mechanisms.

The Standard Contractual Clauses (SCCs) incorporated into the contract between the exporter and importer of the data is the most widely used solution for organizations to facilitate cross-border data transfers in compliance with the GDPR.  According to a recent survey, about 88% of the companies rely on the SSCs.

The EU-U.S. Privacy Shield, which was officially adopted in 2016 by the European Commission, is also a data transfer mechanism between the two regions.  The Privacy Shield replaced the Safe Harbor data transfer framework which was invalidated by the CJEU in 2015 as a result of a legal challenge brought by privacy advocate Max Schrems stemming from transfers of his data from an Irish Facebook subsidiary to Facebook servers located in the United States (Schrems I). The CJEU found that the Safe Harbor lacked protection of fundamental rights “essentially equivalent” to that in the EU. Particularly, it found that the U.S. national security, public interest and law enforcement have been placed above the Safe Harbor principles.

Following the 2015 CJEU decision, Facebook sought to rely on the SCCs as the basis for the cross-border transfer of Schrems’s personal data.  Schrems, in turn, asserted that the SCCs could not justify the transfer to the United States given the potential for the U.S. government’s access to his data (Schrems II).  The High Court of Ireland referred the matter to the CJEU.

The Advocate General of the CJEU proposed that the Court should uphold the validity of the SCCs.  The Advocate General concluded that:

(1)        The EU law applies to a transfer of personal data from a member state to a third country where that transfer forms part of a commercial activity, even if the transferred data may undergo processing by government authorities intending to protect the national security of that country;

(2)        The fact that the SCCs are not binding on government authorities in the destination country does not, in itself, render them invalid.  Rather, the compatibility of the SCCs with the provisions of the Charter of Fundamental Rights of European Union depends on the existence of the mechanisms to ensure that transfers based on the SCCs are suspended or prohibited where those clauses are breached or impossible to honor;

(3)        Such mechanism already exists under the SCCs as they implicitly obligate the data exporter to suspend the transfer or terminate the contract in the event when the legal obligations imposed on the importer entail a breach of the SCCs and therefore prevent the transfer from being accomplished by appropriate safeguards;

(4)        In that regard, the parties to the data transfer contract are required to undertake an examination which would consider all the circumstances pertaining to the transfer, including the nature and sensitivity of the data, the mechanisms employed by the exporter and the importer to ensure data security, the nature and purpose of the processing by the government authority in the receiving country, as well as the limitations and safeguards ensured by that country. 

(5)        Where the controller fails to discharge its obligation to suspend the transfer, the EU’s local data protection authority has the power to suspend the transfer if it concludes that the transferred data is not adequately protected.

With respect to the Privacy Shield, the Advocate General concluded that it was not necessary for the CJEU to examine its validity in the case before the Court.  Nevertheless, the Advocate General offered his observations on the Privacy Shield’s validity and questioned the adequacy of the level of protection ensured by the Unites States with respect to the electronic communications surveillance activities carried out by the U.S. intelligence activities.  The validity of the Privacy Shield is a subject of a separate case brought by La Quadrature du Net before the General Court of the EU.  The decision in that case, originally expected in July, was postponed pending the resolution of Schrems II.

The CJEU is expected to issue its opinion sometime in the first quarter of 2020.  If the Court follows the Advocate General’s recommendations regarding the Standard Contractual Clauses, companies will face more compliance uncertainty and costs with respect to the cross-border data transfers as they would be required to engage in a case-by-case analysis of each transfer in the context of the receiving country’s national security laws.