Top EU Court's Adviser Says Personal Data Can Be Transferred Using 'Standard Contractual Clauses' — But Also Suggests That Privacy Shield Should Be Ruled Invalid
from the sting-in-the-tail dept
As is usual for cases being considered by the EU’s highest court, the Court of Justice of the European Union (CJEU), before the main ruling a senior legal adviser offers a preliminary opinion. Although the view by the Advocate General is not binding on the court, it often gives a good idea of how things will go. That makes some of the issues raised in a new opinion by Advocate General Saugmandsgaard Øe (pdf) concerning the EU’s GDPR privacy regulation particularly interesting. The case is yet another one triggered by a complaint from the privacy activist Max Schrems as a result of Snowden’s revelations. The background is summed up well by the press release on the Advocate General’s opinion (pdf):
The data of Facebook users residing in the EU, such as Mr Schrems, are transferred, in full or in part, from Facebook Ireland, the Irish subsidiary of Facebook Inc., to servers located in the United States, where they are processed. In 2013, Mr Schrems lodged a complaint with the Irish authority responsible for monitoring the application of the provisions relating to the protection of personal data (‘the supervisory authority’), taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency or ‘NSA’), the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. The supervisory authority rejected the complaint, on the ground, inter alia, that in a decision of 26 July 2000 the Commission had considered that, under the ‘safe harbour’ scheme, the United States ensured an adequate level of protection of the personal data transferred.
As Techdirt reported, the “safe harbor” framework was thrown out by the CJEU in 2015, because it failed to offer enough protection for EU data. It was swiftly replaced by the Privacy Shield framework — a slightly tweaked version of the safe harbor scheme. Both made transfers of EU personal data to the US legal by certifying that US data protection standards are “adequate”.
But there is another way to make such transfers legally. Instead of relying on a general framework, individual companies can use standard contractual clauses (SCC), which are simply a promise that EU personal data will be protected in the US (or elsewhere) according to EU standards. The key issue considered by the Advocate General in advance of the CJEU ruling is whether the use of SCCs for the transfer of personal data to non-EU countries is valid. On that point, the court adviser has now said that in his view SCCs can be used as an alternative to things like the Privacy Shield framework. The main reason is that SCCs can be cancelled at any time — for example, if evidence emerges that EU personal data is not sufficiently protected under foreign laws. The Advocate General goes further, saying:
there is an obligation — placed on the data controllers [in a company, for example] and, where the latter fail to act, on the supervisory authorities [of each EU nation] — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.
So the good news for companies is that SCCs are a perfectly legitimate way of transferring EU personal data to the US. The bad news is that the data protection authorities in the EU must check whether the personal data is really protected according to EU norms, and if not, to block the flows immediately. In his press release on the opinion (pdf), Schrems says this is a huge step for the enforcement of the GDPR if it is followed by the CJEU: “At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints.” In particular, Schrems says the Irish Data Protection Commissioner (DPC) would have to suspend the data flows between Facebook Ireland and Facebook Inc. because the DPC has already agreed EU data is not sufficiently protected by the latter. More generally, Schrems thinks this will lead to “More privacy for EU consumers, massive issues for certain US business”:
If the Court follows today’s opinion to have a “targeted approach” [on a case-by-case basis], there would be no impact on most EU data transfers. EU data protection authorities may however stop transfers to US companies that fall under FISA 702 (“electronic communication service providers”). This includes companies like Facebook, Google, Microsoft, Amazon Web Services or Yahoo.
Although it’s subsidiary to the main issue of whether SCCs are valid, the Advocate General concludes with something of a legal bombshell. As the press release puts it:
According to the Advocate General, the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87 [regarding SCCs]. Nevertheless, the Advocate General sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.
The Advocate General is saying that the EU’s top court doesn’t have to consider whether today’s Privacy Shield offers enough protection of EU personal data sent to the US, but if it chooses to do so, he thinks it ought to rule that it’s invalid. If the CJEU agrees, and throws out Privacy Shield as it threw out the safe harbor framework, that would have a major impact on today’s digital world. We’ll find out some time next year whether the judges are happy to do that.