Standard Contractual Clauses: New obligations for data transfers?
Just before the advent of 2020, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) rendered his 70-page Opinion on the Schrems II case. This followed the finding of the CJEU in Schrems that the Safe Harbor, i.e., the data transfer mechanism between the EU and US, was invalid. The original handler of this case, i.e., the Irish Data Protection Commission (DPC), then opened an investigation and requested Mr Schrems to reformulate his complaint having regard to this invalidity finding. Mr Schrems did so and challenged the lawfulness of the Standard Contractual Clauses (SCCs) between Facebook Ireland and Facebook Inc. (established in the United States). The DPC submitted this with a request for preliminary rulings to the CJEU and the AG delivered his Opinion on 19 December 2019. In this article, we look at his key findings that could impact international data transfers going forward.
The AG discussed several issues, but his main focus was whether the Commission’s Decision 2010/87 which established the SSC was valid. The AG examined the validity of this Decision by reference to Article 46(1) of the GDPR. Article 46 allows SSC for international data transfers in the absence of an adequacy decision. In this context, the AG also examined the appropriate standards of protection that a third country must respect where SSC are used.
Among several critical findings, the AG suggested that:
- The GDPR applies to international data transfers for commercial reasons even if this data may be further used for national security purposes in the third country. Indeed, further data processing in the third country is irrelevant with regards to the application of the GDPR to the initial data transfer.
- The Privacy Shield, i.e., the current data transfer mechanism between the EU and US, is probably in conflict with the GDPR and the EU’s fundamental rights framework. Nonetheless, the AG left this assessment for future judgments.
- Whether organisations rely on an adequacy decision or SCCs to transfer data, they still need to comply with the requirements of the EU fundamental rights framework. This means that just having SCCs in place does not suffice for ensuring lawful data transfers. Organisations should pay specific attention to the conditions of further data processing by the public authorities and intelligence services in the third country. Since the SCCs are binding only for the contractual parties (data importer and exporter), the AG highlighted the need for additional and effective safeguards for data transfers to be lawful.
- In this context, the AG suggests enhanced obligations for data controllers, processors and data protection authorities. In particular, where the data importer is unable to respect the SCCs and the rights of data subjects are at risk, the controller should consider suspending the data transfer or terminating the SCCs. Similar, if legislative changes in the third country could substantially affect the implementation of SCCs, the importer should notify the exporter. The data exporter should then notify the responsible supervisory authority to take action.
- The data protection supervisory authorities should suspend and prohibit international data transfers based on SCCs where the transferred data do not enjoy the appropriate protection as required under the GDPR.
The AG suggests that the SCCs, as originally drawn under the Data Protection Directive 1995/46/EC, remain valid. Privacy Shield for data transfers to the USA also remains valid but it may be invalidated by the CJEU in the future. He also suggests that data controllers, processors and supervisory authorities share the responsibility for monitoring their effective implementation.
If the CJEU follows the Opinion of the AG and finds the existing SCCs valid, this will support legal clarity around data transfers under the GDPR. The CJEU could also go further to suggest that all the involved parties bear the above responsibilities for ensuring the effective implementation of SCCs. In this case, organisations should actively review their data processing agreements and SCCs in place with processors to identify any conditions that could jeopardise the rights and freedoms of data subjects. They should also check whether these agreements are respected in practice and document their decisions as to whether their continuity, suspension or termination is justified.
Although the Opinion of the Advocate General is not legally binding, this Opinion provides a hint of what the Court will decide eventually and how the international transfers will be treated under the GDPR. Needless to say, the impact of this judgment could touch the United Kingdom both as a data exporter and importer in light of the upcoming Brexit and will place greater obligations to monitor how personal data is processed and by whom.
Trilateral’s advisors can support you in meeting your compliance needs.
For more information, please visit our Data Protection and Cyber-Risk Service page and do not hesitate to contact a member of our team.